Posts by thames

Re: Ha! Ha! Ha!

@h4rm0ny - "It's depressing that nine people so far have modded you up for that."

It's depressing that 18 people have so far modded you up without looking at your link. That's just a link to a page on how to download and compile the source code. "Yum" is used in that process to install the compiler, Python, and Open-ssl libraries, assuming for some reason they are not already installed. Yum of course is the Red Hat RPM installer, used to install software from the Red Hat / Fedora / whatever repositories.

After that you have to download some more source code from a third party web site (opengroup.org) and compile that. Amusingly Microsoft points to a dead link. I guess you are expected to rummage around on opengroup's web site to look for it.

Assuming that you have compiled everything from source, then you need to cobble together a sys V init script. They helpfully give a sample which may or may not work. No Systemd or Upstart files or tips though.

All in all, it's a prime example of the sort of thing which Windows fans claim is the normal install procedure for software on Linux, and which actual Linux users wonder WTF these Windows fan boys are talking about. Now we know. It's apparently the sort of thing which they have come to expect from Microsoft.

Let us know when there's actual Linux packages available for actual Linux distros, and perhaps we can take a look at it.

Re: Will the real instruction set please stand up?

According to Wikipedia, this is either the same organization as made the mainframes or a descendent of it. They made several lines of computers. The originals had some similarities to Borroughs mainframes, but they were independent designs, not copies. In the 1980s, they switched to a VLIW architecture. This current chip seems to be a descendent of that.

They also made a separate line of products using the SPARC architecture. Something that isn't clear is whether this new chip somehow incorporates the SPARC instruction set as well as the Elbrus VLIW one, or whether that is just garbled reporting mixing up the two product lines. I suspect it's the latter.

Their chips are (according to Wikipedia) used in the "space program, nuclear weapons research, and defence systems". Now you know why the Russians use them. The Americans won't sell chips to them for use on those markets.

The model of chip that comes out this year is the 8S, which is 8 cores, 1.3 GHz, and built on 28 nm. It sounds pretty respectable even by today's standards.

Re: The NHS

@Boris the Cockroach - "problem is much like mine in the industrial arena."

I was involved in commissioning a new machine in a factory a while ago. It used a PC running Windows 2000, which at the time had just had support terminated. I asked the rep from the company which made it about that, and he was shocked and dismayed to hear this. It was their latest model. They had just got the design to work properly. Damn this Microsoft for doing things like this to them. Anyway, it wasn't their responsibility, since they just buy the PC from someone else and stick it in their machine ($100,000 plus) and load their software on it. Shrug, what can you do anyway? Now let me show you the interface to the conveyor system. There were only two or three companies in the entire world which made that sort of equipment, and the others weren't any better.

Oh, and the biggest company in the industrial automation market (who shall remain nameless, but they're a giant whom you've all heard of) had one of their premier software products running on CP/M in an emulator which ran on MS-DOS, which ran in a compatibility box on Windows. Finding a PC which still had a serial port which was compatible with it (USB serial converters didn't work) was a pain in the arse. A very large chunk of the world's factories, utilities, water systems, etc. was run by their hardware.

Long term support for our software? Oh, yeah, we've got this new product you ought to buy. Just rip the guts out of your factory (power plant, water supply, etc.) and replace it all with our new stuff.

It's probably better to think of Asm.js as a form of intermediate representation. A lot of compilers go from source code, to intermediate code, to machine code. Among other advantages, this lets you combine various different front end language translaters with different back end machine code generators. In the case of Asm.js, the intermediate representation just happens to be a sub-set of Javascript.

The Pypy Python JIT takes a somewhat analogous approach in that it uses a subset of Python called RPython which can be highly statically optimized into machine code by the compiler. I say "somewhat analogous" because they don't use it as a compiler target for writing user supplied programs. Instead, it's just part of the toolkit they use to write interpreters and JIT compilers in, including Pypi, along with PHP, Ruby, and others (it's a general purpose language toolkit).

The basic idea behind both is that speed has nothing to do with "compiler" versus "interpreter". Both Javascript and Python are compiled. The real issue is "static" versus "dynamic". Both Javascript and Python (along with Ruby, PHP, and various others) are very dynamic languages which can only really be analysed completely by observing them at run time to see what they are actually doing. However, if you strip out the dynamic features from them and leave a core which can be analysed statically, then you have something which can be statically compiled, that is analysed and optimized in advance, just as much as something like C or C++. Without that, you need to either use an interpreter, or a JIT compiler, or a combination of both working together (like most current Javascript and some Python systems do, oh and like Java does even though it's not dynamic).

If course it's those dynamic features which attract developers because dynamic features let you write less code, writing code takes time, and time is money. It's all a trade off, and the best tool for the job depends on the type of project and the market. That's why we have so many programming languages.

The way that Asm.js is meant to be used is that you take libraries written in something like C++, and you compile them using their compiler to Asm.js code. Games is the big market being looked at, although no doubt there are loads of other applications. It won't replace run of the mill Javascript code though, just the stuff that has to be highly optimized for CPU performace.

The real competitor to Asm.js is Google's NaCl, which also uses an intermediate representation, although in their case its special NaCl code rather than a subset of Javascript. Looking at market acceptance though, it looks like Asm.js has pretty much won that battle, and NaCl is a dead end. It's also one of the final nails in the coffin for Flash and Silverlight.

Re: why, why, why... what is the point?

@Russell Hancock - "In the last week I have looked at all the following, please someone explain why they need to be secure.."

Most of those sites you listed will be going to http/2 anyway, which is encrypted by default and has no unencrypted mode. They'll be going to it because it will give them better performance, use less bandwidth, and work better with mobile. Tests so far have shown http/2 with encryption to be faster than regular http without encryption. Chrome and Firefox already support it, and the other browser vendors will be following suit if they haven't already.

Mozilla's proposal is for what to do about sites that don't change to http/2 because they don't want to change anything. Their proposal is that those sites will continue to work as is for the foreseeable future, they just won't be able to access new browser features. Since those site operators who claim they don't want to change anything won't be accessing new features anyway, then they've really nothing to complain about, do they?

The only people who will be affected are those who want to use the latest bleeding edge web technologies, but don't want to do it over http/2 or encrypted http.

Re: Shortsighted reaction on the side of Canonical

The discussion evolved quite a bit from his original description, which was rather vague and impractical. The person who reported it was working on finding a way to brute force an exploit, but at the time of writing this comment he still hadn't.

As for the original method, the Canonical guy said "If you have administrative users that are leaving session unlocked, you have a more serious security issue than being able to change the time." To make a long story short, if you have administrator access you can do administrative things. The Canonical guy isn't blowing the issue off, he's just saying 'show me a feasible exploit that doesn't require initial conditions that are not a serious security problem on their own'.

I'm not going to criticize the guy who reported this as a bug. I would rather have an overly paranoid set-up than an overly lax one. Even if he can't make a practical exploit out of it, someone else may find a way to do so later.

I won't be surprised if Ubuntu closes this by updating to the latest version of "sudo", but I have to agree that it's not a serious issue at this time. If you are worried about it, just use "-k" with sudo or close your admin terminals before leaving your computer logged in, unlocked, and unattended.

Re: some thoughts...

@Phil dude - "I am guessing there is substantial liability attached to planes, vehicles, industrial robots etc....?"

I've done a lot of work on industrial software (and hardware), and components like robots are part of a system in a larger machine or manufacturing cell. You design the machine on the assumption that software and hardware has bugs and that something like a robot could go wonky. If the operator can get hurt due to something the robot did, then that's the fault of the person who designed the overall system.

There are safety components such as light curtains, two-hand controls, safety relays, etc. which are designed to be "fail safe". These tend to be fairly simple things with very limited feature sets. You use these as building blocks to provide safety systems for use with for example your robot. Most complex industrial machines are one-off custom built jobs, so there's no universal "solution" to safety. The real problems must be solved at the individual application level.

At one time a popular brand of light curtain (used to disable a machine if you pass your hand through the curtain of light) used a software based system that used two different programs running in parallel on two different microprocessors (I think one was a Motorola, and the other an Zilog or Intel). Their later generations evolved to use ASICs to eliminate the software, and I think that everyone else did the same.

Safety shutdown systems in something like an oil refinery or a large boiler control are another much more complicated story altogether, and I won't go into that.

I can think of lots of well known third party companies who run their operations entirely on Amazon. I can't think of any who do the same with Microsoft Azure.

I tried googling for something about this Aaron Rakers from Stifel to see what he actually said about MS Azure, and all I can seem to find is older Register reports which last year said that Rakers claimed that MS Azure was beating Amazon, and obscure blogs which said that the Register reported that (you get the picture). Of this mysterious report itself, there seems to be no sign (I notice that it isn't linked to in the story). Nobody else in the IT press seemed willing to touch the story (including the earlier versions) with a barge pole.

So, I'm going to say that I'm a bit sceptical about the whole thing unless I see some real evidence. I also notice that the Reg journo seems to be holding the report out at arm's length like a long dead fish. I hope he got a decent lunch out of the Microsoft PR flack last Friday because otherwise his time was thoroughly wasted.

Re: Raise your hand...

@Mike Bell - Re: IIS market share "Nope."

You forgot to use the "joke" icon. Your own link shows IIS market share falling steadily down to third place since 2008, from 20 - 30% down to 10 - 12% for real web sites ("top million" sites are real sites, rather than placeholder pages held by domain speculators). The "top million" sites shows a steady smooth decline over time. IIS has been in third or fourth place for several years and is well on its way to oblivion. That's according to the data in your own link.

Seriously, I think that Microsoft knows that IIS is well on its way to being an ex-parrot and doesn't think there's much to be done about it. As a result, they'll give it basic maintenance and security patches, but they aren't taking it seriously enough to pro-actively get rid of the obviously bad ideas like the one which is the cause of this current security flap.

Since IIS is a legacy product, that's not too surprising. A lot of other vendors tend to take the same attitude to product lines which are on their way out to pasture.

Re: One of the reasons I abandoned them years ago

I also have to say that the AMD APUs have been great for running Linux for me. I'm using one to post this from Ubuntu 14.04 with Unity. It's using the Gallium open source video driver which comes with Ubuntu, so I don't have to fiddle about with proprietary drivers.

Overall, it's been very solid, fast, and trouble free with all the usual GUI stuff, including full screen video. For a Linux GUI desktop, I really wouldn't consider anything else at this time.

@Trevor_Pott - "Just get them to port to Postgres."

I listened to a podcast interview with one of the principle developers of Postgres a couple of years ago, and he said that the largest number of users porting software from another database to Postgres came from MS SQL Server. This came as a surprise to the interviewer, as Postgres is generally considered to be more similar to Oracle than to MS SQL Server. However, that was their experience.

I take this as meaning that the differences between the details of how different databases work isn't that significant an issue when it comes to porting effort in many cases. I suspect this is because a very large proportion of applications don't really demand that much out of their database and don't use any of the more esoteric features. That is probably especially true for the SMB market that you mention.

Re: LTS?

@keithpeter - " Ubuntu: LTS every 2 years each with 5 years support. Fedora: Basically acts as the input/testing platform for RHEL ..."

This is a problem the article has when comparing Windows to Linux. The Ubuntu and RHEL/Fediora models are utterly different from each other and the author doesn't understand them. There is only one Ubuntu (GUI and CPU choices aside), there's no such thing as a "community/freetard edition". What you download from Canonical is the same whether you pay them or not. Every six months they put out a development release, but every two years they put out an LTS. You can skip an LTS release and still have support.

Red Hat on the other hand handles things very differently. Fedora is generally packed with bleeding edge stuff, and has a support life of only a little over a year (the length varies). You get a month or two of grace after the next release, but then you have to upgrade if you want security fixes. RHEL is only available to paying customers (yes CENTOS is a RHEL clone, but it's not called RHEL) and it comes out at erratic, infrequent intervals like Windows does. It's not a timed release.

With Ubuntu, you upgrade in-place by clicking on a button (or by typing a command if you are using a GUI-less server). You upgrade RHEL by nuking and installing from scratch. Fedora attempts an in-place upgrade, but more often than not it fails. Most Fedora users don't seem to even try in-place upgrades anymore.

Ubuntu and Red Hat release on completely different principles. Comparing Windows to Ubuntu and Fedora tells us nothing about what Microsoft intends to do. Will it be like Ubuntu? If so, will there be non-LTS development releases? Will it be like RHEL - nuke and re-install? Or will it be like Fedora - upgrade every year, with in-place upgrades failing left and right?

Perhaps the author could have thrown in Arch just to complete the confusion - upgrade every day to the very latest off the fingertips of the developers, with things working most of the time, but with the occasional complete failure.

I suspect that the Microsoft Windows developers want something like Arch, sales and marketing want something like RHEL, and the IT press think that the result will be something like Ubuntu.

Re: Must be my eyes

In the H264 version, a lot of the transverse ceiling tile support frames are blurred out of existence, while they are visible in the VP9 version. Also, if you look at the woman in the middle who is split between the images, in the H264 version you can see jagged lines along the edges of her leg, while the edges on the VP9 version are clear. The same is true for straight edges along the walls as well. The "jaggies" are there to some extent in VP9, but they are much smaller and less prominent than in the H264 version.

The VP9 version definitely has a better picture. On the other hand, I'm not sure I would notice any difference if I wasn't actually looking for one.

I suspect the biggest advantage will be in terms of reduced bandwidth needs for VP9. That matters to YouTube who are paying a lot of bandwidth bills, and also to end users who are watching the videos via their mobile phone or capped Internet connections.

Since Google owns the dominant mobile phone OS and a major computer web browser, they can push the VP9 codec out to most of the market. Firefox also supports it, and it's built into a lot of newer televisions. On the source side, YouTube is a very big chunk of total Internet bandwidth. So if Google wants to use it, it's going to get used on a really big scale.

Re: Docker

@K - Yes Docker tries to do one thing well, but that's its strength. It's not meant to solve every problem, but it solves a lot of common ones. Any complex IT system would consist of a mix of containers and traditional VMs, and indeed containers inside of traditional VMs.

As for what Nutanix is going to do, I agree it's more likely they are adding their own management tools on top of KVM than actually rolling their own hypervisor. The same may be true for Docker containers.

Re: Menus

@keithpeter - I'm using Ubuntu Unity 14.04, and it works fine.

"Steps to reproduce: Load LibreOffice Writer, click in the new document window, press and hold the Alt key while pressing the I then the O then the F keys then release the Alt key"

Try releasing the Alt key after pressing the "I" but before pressing the "O". You will notice that the underscore showing the top level key options will disappear when you let go of the Alt key. Holding the Alt key down lets you select a different top level menu option without having to cancel the operation and starting over. Once you let go of the Alt key point you can then select options within the selected drop-down menu by pressing additional keys on their own.

It's not "broken". This method is a lot more keyboard friendly if you're not entirely sure where the option you want is located. It lets you poke around in the menus to find something without having to use the mouse.

Re: Seems a bit pricey

Admit it. You downloaded your copy of Vim off of the Pirate Bay.

Re: Would The Reg please stop

@Christian Berger - " I used to work in a large appliance manufacturer with a "no FOSS" policy. This is because one of the owner companies was sued for violating the GPL because they didn't respond to a complain within 2 months or so."

Was that an IT appliance manufacturer, or a kitchen appliance manufacturer? If the latter, they must really have struggled to find a way to violate the license. Even for the former they must really have worked at it because the number of actual FOSS copyright lawsuits that I have heard of can probably be counted on the fingers of one hand (mainly Busybox in embedded systems), and those have always taken years of ignored lawyers letters from the copyright holders before they took the step of going to court over it.

And I have to wonder just how sympathetic Microsoft or Oracle would be to pirating their software if you simply ignore their complaints. Those companies sue loads of people all the time over license violations.

Anyway, their IT setup must be interesting, because they can't use Java since that's open source (GPL) and loads of Java libraries and frameworks are only available as open source. Their heads must be ready to explode now that Dot Net is supposedly becoming open source.

If Microsoft drops out of the phone OS business, they are going to be rather limited in their choice of mobile phones since both Android, Apple, and Blackberry phones all have substantial FOSS bits that can't be removed.

Baidu hasn't been hacked. This is supposedly happening somewhere else. Some part of the network (possibly the routers) is injecting Javascript into the response traffic after it has left Baidu but before it reaches the user to add extra Javascript. ISPs in the US have been doing the same thing to inject advertising, but in this case the Javascript conducts a DDOS instead of showing ads.

From the sounds of it, Baidu wouldn't even be able to see anything different from their data centres, since the Javascript injection happens somewhere else in the Internet, possibly on its way out of China.

I imagine that Baidu is not happy about this, since it would have the potential to hurt their business. The article isn't clear on this, but it describes the traffic being intercepted as being from "Baidu's advertising network", so it's quite possible that Baidu is losing a significant amount of money on this.

Re: Smart, huh?

@John Lilburne - "The bulk of the known sources of uranium aka yellow cake is mined in Chad which is not exactly stable"

According to Wikipedia, the only mineral which Chad mines is small quantities of sodium carbonate. I've not seen any source which says they produce any uranium at all.

The number 2 uranium producer is Canada, and Australia is number 3 (Kazakhstan is number 1). I'm pretty that neither Canada nor Australia are about to fall over due to political instability.

Re: I wonder how they measure vulnerabilities in Gentoo and Solaris.

I just had a look at Secunia's database, and it looks like they count vulnerabilities in all the software that can run on Gentoo against Gentoo itself. In other words, a Java vulnerability counts against Gentoo, and so do problems with Chrome, Flash, etc. I don't know how they end up with fewer vulns for Gentoo than for Chrome alone, but that might just be because Gentoo might lump several Chrome vulns into one notice.

Secunia is counting by vendor, and since Gentoo redistributes lots of third party software then all the third party stuff which could potentially get installed gets counted against Gentoo. On the other hand, the exact same software may have the exact same vulnerabilities on MS Windows or Apple OS/X, but it won't be counted against Microsoft or Apple because they didn't distribute it.

I think Secunia simply counts notices put out by vendors, they don't actually analyze them and apply any judgment. This means that the more conscientious and detailed a vendor (or distro) is about informing their customers (or users), the higher the vulnerability count they will have.

It also means that you can't actually compare vulnerability counts between vendors unless they operate, distribute, and report in a similar manner. That would just be comparing apples to oranges. I'm sure though that won't discourage our favourite anonymous security commentard from ignoring the facts and stuffing both feet in his gaping pie hole. Let me save him some trouble - "Microsoft had zero vulnerabilities while Linux had seventy-bazillion and caused global warming as well". There, now where do I pick up my cheque from Microsoft?

As to why Gentoo has loads more security vulnerabilities reported than any other distro, I suspect that is simply due to differing reporting and repo support policy. If another distro has smaller supported repos with fewer third party software packages, then they will pretty obviously have fewer vulnerabilities to report on to their users. Note though that I said supported repos. Different distros have different support policies.

I'm not sure what the story is for Solaris. I didn't bother looking them up in the database, and I'm not sure what their distribution, support, and reporting policies are. I wouldn't be surprised though if a lot of the apparently high vulnerability count is also simply due to double counting of non-Solaris related problems combined with a long support life.

Re: Wow!

The news story didn't quite quote it correctly. The number refers to items of network traffic that were believed to be associated with a "threat". In other words, emails, HTTP GETs, log-in attempts, etc. that looked unusually suspicious. The slides date from 2009, so I imagine the numbers are a lot bigger today.

The original source wasn't clear, but it appears that this number may be an aggregate across the entire "5 eyes" rather than just counting "threats" directed at Canada alone.

As for the "125GB of internet traffic per hour", that's counting just the "metadata", not the full network traffic that goes with it. I also imagine that they've increased these numbers considerably in the past half dozen years.

Re: Is it wrong?

@I ain't Spartacus - "What would happen if someone manages to poison Google so that a search for hsbc gives hsbc.scam, instead of hsbc.com?"

So is "royal.bank" the Royal Bank of Canada (Canada's biggest bank), the Royal Bank of Scotland (weren't they a bit shaky?), or the Royal Bank of Nigeria (I just made that one up)? I guess I'll just have to google "Royal Bank" and click on the first link that comes up. Or I could just look at the business card the nice lady at the bank gave me when they set my account in the first place.

@I ain't Spartacus - "you weren't allowed to register a dot.bank unless you were regulated by a legitimate national central bank (or banking regulator)"

Because that works out so well for all the crooked banks in all the massively corrupt countries around the world. Do you have any idea how easy it is to get a financial institution license in a lot of countries? Do you have any idea how many "banks" are just brass plates or file folders in obscure third world countries?

@I ain't Spartacus - "the registrar could operate a national page"

Or the UK government could simply set up a ".bank.uk" sub-domain and tell the handful of existing UK banks to use that. Then it would be entirely under UK law in the same way the banks themselves were and you wouldn't have to worry about the honestly and integrity of the Royal Bank of Nigeria.

Re: Sir

@Anonymous Coward - "Software is written by the same people with the same level of knowledge of software security"

I follow control engineering forums where this sort of question comes up. It's usually phrased as "the customer has just told us that he wants to check his wind turbine over the Internet. Is there some sort of web box thingy that I can add to the PLC to do this?" They then buy an eye-wateringly expensive "module" from the PLC vendor that lets you load a web page using MS Frontpage and associates a selection of ActiveX or Java "web controls" directly with PLC memory addresses. They're all designed to be installed by people who have never created a web page before and wouldn't know an HTML tag if it bit them. Difficult problems like oh, let's say security, are dealt with by not having any.

For 99.9% of people doing control engineering work, their knowledge of things Internet or web is limited to knowing where the good porn sites are. The control hardware they use is sold by companies whose knowledge of things webby is little better.

Re: Critical point missed.

An even more critical point is that the bulk of the world's oil and gas resources are not owned by the well known major oil multi-nationals. They're owned by governments who are more concerned about long term revenue streams than they are about stock market valuations. These are Saudi Arabia, Iran, Russia, Qatar, the UAE, etc. Most of these countries also have national oil companies who finance their investment out of cash flow, not the stock market.

The big western oil multi-nationals operate around the fringes of that. What those well known multi-nationals do or don't do won't make much difference on a global scale.

Re: @Trevor Don't buy US kit

@Trevor - Winston Churchill supposedly once said something along the lines of "the Americans can always be counted on to to the right thing, once they have exhausted all the other possibilities". Right now they're still near the top of the list of alternatives, and it's a very long list.

This sort of story will put pressure on large American companies who will see their export markets melt away as IT technology become more and more vital and valuable. The fact that someone, somewhere else in the world may be worse isn't going to make customers trust them. It's like asking which of two paedophiles is the least bad one to babysit your children.

Ultimately the real answer to the "Cisco-NSA" problem is going to have to be technological. People were already thinking along the lines that we need better security, but the Snowden revelations have given that process a big kick in the pants to move the process along. If the NSA can hack into your systems, then so can anyone else, including common criminals. Either you're secure, or you're not. Right now most companies and individuals are storing their data in the equivalent to a cash box in a desk drawer with the key taped to the top of it.