* Posts by hh121

18 publicly visible posts • joined 26 May 2023

Malicious xz backdoor reveals fragility of open source


I completely agree with your logic, but from my point of view the maintainers are randos in the interwebs as well, let alone the volume of submissions and dependencies they are presumably dealing with. Given the number of these things it seems like a bigger issue. https://en.m.wikipedia.org/wiki/List_of_Linux_distributions

But even if you accept the primary maintainers are the good guys, how many more weak points are there with a package maintained by one person who can be socially engineered off. Or a package submitted by a baddie that was initially perfectly clean and good, but they have a longer game in mind. It's still all a trust thing.


I am curious about the down-votes...like how would paying devs for their contributions have helped in this scenario? And how do you know who you can trust as a contributor? Or who you can trust putting together yet another distro (which I've flagged before on other threads), let alone the chain of packages that may or may not get included, SystemD or otherwise? They can't even figure out who this contributor is (are) or where they are, let alone whether they can be trusted (not)...seems to be a pretty fundamental problem in the whole community approach to me. Considering the hoops I have to jump through to get a bank account or phone service, perhaps the bar to entry is (way) too low for something with this level of impact.


I don't think this was a money problem (not that i have anything against that being resolved), this looks more like a verified user problem, following by a who's validating their output problem (or qualified to, or at all), followed by a complex eco system of packages.

Some rando on the interwebs can get into the chain and what's to stop them wreaking havoc? Damn right there's a chance there are other instances of this out there.

The big corps like MS, Oracle, Cisco etc might not be perfect (or even close), but they'd be slightly more aware of who their employees are, and who did what, although it probably wouldn't take much to compromise that avenue too. Maybe all they've got is better tracability...

DBA made ten years of data disappear with one misplaced parameter


As a wise man once said, if you don't have a test system, what you actually don't have is a production system... Truncate was one of the things that caused a sharp intake of breath whenever I hit the return key. I've done worse though.

Your PC can probably run inferencing just fine – so it's already an AI PC


Re: the pachyderm in the parlour

Yep, I can't remember the last time I saw a desktop in the real world, and I get to see a fair number of customer sites too.

JetBrains TeamCity under attack by ransomware thugs after disclosure mess


Still don't get it

Why publish the how-to at all, unless you're a complete self aggrandising wanker who wants to show off how clever you are. The people they're hurting aren't going to be buying anything from Rapid7, not before and definitely not after. Unless it's a bug bounty shake down merchant, in which case who's the one taking hostages here.

Year of Linux on the desktop creeps closer as market share rises a little


Re: "Repeat after me" guy here ...

I remember one bank of my acquaintance nixing a Foss email proposal because it lacked a delegation feature, so executives would have had to do all their own email. The horror. Outlook/Exchange prevailed. No idea if that's still an issue.


Re: Familiarity and compatibility

Your suspicion is entirely justified, I was at MS at the time, but the context of it was "here's what happens on one of our regular business spreadsheet templates", a template that had been in use for many years and was on every MS consultant's laptop, nothing rigged about it. I think the marketing droid who found it was surprised, it wasn't even that complicated a spreadsheet. Rate lookups and locked cells mostly.

Then again, a lot of the issues could easily be in the older versions of Excel that were still being supported for backward compatibility. If they cut the cruft free they'd get hammered for that instead (by their customers instead of the commentariat).

But this example was so long ago it was probably early on in the open source game too. Times change, compatibility will have certainly improved (I'd bet MS's stds compliance will have too, but many would probably bet not), and if someone can guarantee the compatibility you *might* get the decision makers onside. Good luck with the coloured pencil department. You can't be surprised by risk aversion though.


Familiarity and compatibility

I put the stickiness down to familiarity, with a side of no awareness. People know Windows and Office, and can't be bothered learning something new, and they probably dont know or care about Linux/Open Office etc anyway. Maybe its a marketing problem after all. I go back to Lotus 123 days too, and made that transition, I could do it again but why would I want to?

Also there's compatibility. If I'm working with partners or customers who are using Word and Excel, I have to be certain that whatever I'm using isn't going to bork their files. A long time ago someone at Microsoft demoed Open Office against Microsoft's standard internal expenses spreadsheet. As it opened, the existing data was corrupted, and when it was immediately saved without any changes it was corrupted again but differently. That's many versions ago and i'm certain it'll have improved, but who's on the hook if anything like that happened today? Ignoring evil old MS making something obscure and complicated, people need that to 'just work'.

And as has been noted, the browser UI for Office isn't much better than Notepad. It doesn't take long for me to hit the features that aren't present, so I have to use the desktop client apps. I've had documents fatally corrupted by Word in the browser and spent a lot of time fixing them on the desktop. Now I don't even bother trying to use it.

Finally, as of today OneDrive capacity for E3 subscribers is 'unlimited' (search for "e3 onedrive storage capacity"), if you have more than 5 subscribers. The initial default cap per user is 5TB, but if you jump through some hoops (calling support etc) it will be raised. Whether you want your users potentially syncing multiple TB to their laptop's 256GB SSD drive (accidentally or deliberately) is one for the philosophers.

Starting over: Rebooting the OS stack for fun and profit


Re: In the absence of files...

At the risk of approaching a rabbit hole, the reason for that sharepoint metadata-rather-than-folders thing is more because sharepoint doesn't treat the parent folders as a searchable attribute of the file. So the chances of a file called 'Jan2024.doc' in the folder 'board papers/fy24/europe' being found using a search for any of those terms would be iffy at best. Painful experience would rate it as unlikely.

That and the 400 char limit on URL length which is quite easy to hit if you drag a file share into a sharepoint library.

Of course getting people to enter metadata on new content (useful and valid you hope), or parsing it from existing content in bulk are both significant hurdles.

Crunchbang++ versus Bunsen Labs: The pair turn it up to 12


I get the principle of Linux, Liam's articles about the FOSS landscape are invariably interesting, but I always end up with the same question...why does anyone need all the rats and mice variants, where 'choice' just means another headache (which seems to get bigger with each of these articles). The concerns would be a) how can I be sure it's going to be kept up to date and secure, a b) how can I be sure there's nothing untoward in it, same as occurs to me when faced with any download/install of something that isn't from a trusted brand name. I barely trust my bank(s) and my telco(s) for software, let alone randos putting together distros.

Raspberry Pi Pico cracks BitLocker in under a minute


Re W11 requiring separate TPM chips...that's what I thought. And I was annoyed when the brand new (2 years ago) Gigabyte X570 board for my son's home build gaming rig didn't include one (according to the upgrade assessment tool), so I thought we were stuck on W10. But unbeknownst to me, when the system asked him for the umpteenth time if he wanted to update to W11 and he said Yes, it automagically enabled the soft TPM (don't ask me what happened, I wasn't there) and allowed the upgrade to proceed.

Missing Titan sub likely destroyed in implosion, no survivors


Re: "craft's carbon fiber hull"

Not my point, but to yours - as far as i know it was metal fatigue from the repeated compression decompression, then yes, it exploded rather than imploded. Or just broke up in flight which is just as bad. But they didn't find it because of the testing regime missing it. Didn't help that the Comet was the first of it's kind.

In the sub's case it sounds like a combo of that plus water ingress / unsuitable materials.

Shall we bring in Apollo 13 for another tangent with no pressure at all?


Re: "craft's carbon fiber hull"

I was De Havilland and Nimrod adjacent a long long time ago, and one of the things I heard was that the problem on the Comet was that the pressure testing of the hull didn't do the whole thing in one go, it was done in sections (cheaper natch), and the failure was at the join of one of those sections.

Once they figured it out, pressure tested it properly (all at once) and resolved any issues it was fine, but by that point no one was going to buy or get in a Comet as a commercial flight. I may be misremembering it, or it's another urban myth I've inadvertantly picked up along the way...that and the Concordski crash reasons.

It does have echoes for this incident though in the testing situation

The Nimrod flew a very long time, way longer than you would have expected a design of that vintage. The issue there i heard was feature creep (needs a bigger radar, which needs bigger bird strike shields, which needs bigger radar to punch through it...and so on) till it got to the mk3 and beyond, collapsed under its own budgetary weight and they bought Awacs instead. Still a good reliable airframe though.

Kinder, gentler Oracle says it's changed, and now wants you to succeed


Sounds familiar

"Customer Success Services" sounds suspiciously like Microsoft's "Enterprise Strategy Consultants", of which I was one. AKA the "designated hostage" who spent the next 3 years or so explaining why the client cannot convert those packaged services into licenses. Or giving them deployment plans for Sharepoint circa 2003, only to be met at one Telco with "I can build that in Access". Or a health department in the teens faced with a CRM shaped problem and a Dynamics proposal, and an embedded contractor convincing them "I can build that in access". Seems to be a theme here.

Europe’s biggest city council faces £100M bill in Oracle ERP project disaster


Re: What value!

"The solution will not be running in 10 years' time, I bet you. So an overall loss."

In ERP vendor thinking, once the client is on one or another product, they will be there for 10 years minimum. Oracle sales folk would fight like rats in a sack to win one. DBs you might be able to turn over more quickly, but not an ERP system.

That said, if this goes belly up they might not get in there for year 1.

"For £100m you could not just hire some techies, you could start a software company to build the solution. At least then you'd have a solution, and a software company."

How do you think Oracle came up with their products in the first place...


Re: So what is the right answer?

Standardise, yes. But...

Best of breed usually failed when they went for things that didn't integrate easily. Or at all. Irrespective of the combination of vendors. That's why most of the adoptions I see these days are single vendor for as much as you can possibly manage, and damn the compromises.

And in the SAP world, it was thought to be cheaper to change your company to fit SAP than to change it in any way, but alternatives were limited for a very long time. They're charging over to the cloud as fast as their anchor will let them.

As far as things like payroll are concerned, my expert colleague from Oracle uk developing a COTS payroll solution took one look at Australia's penalty rate legislation and decided the entire market was too hard to deal with. One size fits all isn't easy, especially in the public sector.

Finally, the biggest problem with Oracle's ERP for many, many 90's customers was that the instant you modified it, you couldn't upgrade it without redeveloping (not just retesting) all your mods. It was the underlying DB schema changes that screwed you. God knows how that plays in the cloudy Fusion world, but I won't be charging back there to find out.


Deja vu all over again

'Oracle Fusion, the cloud-based ERP system the council is moving to, "is not a product that is suitable for local authorities, because it's very much geared towards a manufacturing/trading organization"'

That was the problem with oracle's erp modules back in the early 90s. Sequent computers were the driving use case early on (almost exactly unlike nearly every other enterprise scenario, like food manufacturing, or publishing, or ...) and it was very difficult to get beyond that mind-set. Well, that plus the fact that the various modules were developed largely in isolation, eg customers and suppliers were two completely separate things, which was fine until your customer was also a supplier, when it was a major headache.

And here are 30 years later...