* Posts by Claptrap314

2976 publicly visible posts • joined 23 Jan 2015

At last, the fix no one asked for: Portable home directories merged into systemd

Claptrap314 Silver badge

The only smart phones I have every had were issued by my employer. And yeah, the only company code I ever had on a home system was during the winddown of a bought-out startup.

If only 3 in 100,000 cyber-crimes are prosecuted, why not train cops to bring these crooks to justice once and for all, suggests think-tank veep

Claptrap314 Silver badge
Black Helicopters

I'm confused...

Are we supposed to pay off the ransomware perps or send in the swat team to chase the packets back to the source?

Seriously, as another has mentioned, this is like saying that banks should not train their personnel in anti-fraud procedures, but we should just have cops everywhere so no criminal will try anything.

Hard pass.

There are already Chinese components in your pocket – so why fret about 5G gear?

Claptrap314 Silver badge

From a grand strategic view, I've long been mystified that the EU was not taking steps to be cyber-independent. From the view of the individual actors, it is depressingly obvious.

Still, this gem from the article is too good not to quote, "Similarly, most American service providers have managed to retain far more expertise and are able to run their networks much more independently of their vendors. US providers may leak less customer data, but to compensate, they flat out sell it."

Claptrap314 Silver badge

https://www.youtube.com/watch?v=urglg3WimHA

Claptrap314 Silver badge

Re: Standards?

Sounds like you read IEEE-754 (the standard for floating point, published in 1985).

Claptrap314 Silver badge

Re: "It is perfectly possible for the West [..] to decide on a coherent policy"

You're out of date on those trends, and your anti-Republicanism is blinding you further.

First, the US is currently a net oil exporter. This is a direct result of eliminating the restrictions on oil exploitation that were created early in the Obama administration when fracking first became economically viable. The proven US reserves are quite large, and even in high school almost forty years ago, I understood that these reserves represented a grand strategic limit on Middle Eastern oil power. (What I actually said on this issue, "Doesn't it make sense to let them sell us oil when it is cheap, while we hold ours for when it is expensive?" I did not recon with advancing technology making our oil cheap as well.)

The US has indeed exported far more manufacturing than is wise at a grand strategic level. One of the weaknesses of an open economy is that there is little that the government can do to prevent this if it wants to keep the economy open. Note that president Trump is the first to address this concern in quite some time. Not that I agree with his methods on this issue, but he is the first to do more than to make a couple of statements on the campaign trail somewhere.

Renewables are not capable of producing the amount of energy required to fuel a vibrant economy. There are hard limits on things like erg/m^2 received by the sun. If you don't like oil (who does, I mean, really?) we have fission until fusion is ready. Note that the price of thorium has gone positive, which means that smart, rich people are betting that fusion is coming online.

And that will be _good_ for the US, as it will reduce energy costs.

Anatomy of OpenBSD's OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage

Claptrap314 Silver badge

Many (most?) unix commands are !#/dev/garbage

Thinking about this bug, I cannot help but be upset at the core unix model: many, many programs have a LOT of functionality that can only be controlled via the command line. As other have noted, this is okay-ish if we are all friends. But we are not all friends.

Programs do not exist in isolation. They are part of much, much larger ecosystems that exist in order to make certain people happy. Given that it is impossible to predict what purposes users might want to make of any given application, or in what environments, ethical programming requires that the programmer exercise care to ensure that their programs are easy to invoke safely and produce output that is easy to use.

If a program cannot receive its control input via stdin, it is broken.

If a program cannot receive its control input via config file, it is broken.

If a program can reasonably expect that its output might be used for input, but only after further processing, it is broken.

If a program has command line options that require some sort of Turing-complete system to parse, it is broken.

If a running process cannot have its config updated either via an api call on a port, or by reading a config file after a sig 1, it is broken.

If a long running process does not dump its config (on startup and on change) to a log file in an easy-to-parse fashion, it is broken.

The command line is simply too dangerous an environment for arbitrary data to pass through. In secure mode, programs should refuse to take data on the command line that can be arbitrary text.

Claptrap314 Silver badge

Re: With great power...

How about just fixing the programming model instead?

Claptrap314 Silver badge

You are assuming that the command line is the only way that a program should be receiving data. THAT is hugely wrong, and is a common limitation of a lot of unix programs. Newer ones provide better (and much safer) interfaces for IPC.

Claptrap314 Silver badge

There are fifty ways to pass a message

Drop the data in a file, Kyle

Send it on a socket, Crocket

Put it in shared memory, Stephanie

...

Remember when Europe’s entire Galileo satellite system fell over last summer? No you don’t. The official stats reveal it never happened

Claptrap314 Silver badge

Re: WTF?

During war or outside it? Oh, and please define "war". https://en.wikipedia.org/wiki/Quasi-War

You know the President is able to shut down all US comms, yeah? An FCC commish wants to stop him from doing that

Claptrap314 Silver badge

Re: "the Register can do much better than this"

That's a cop out. Kieren manages an anti-Republican (currently anti-Trump) slam in every article that she writes. There is a very legitimate issue regarding extraordinary powers of the president, but by turning the article into a stream of partisan invective surrounding a couple of facts, she makes this nothing more than a diatribe against a president and the associate party.

Taking as serious a matter as extraordinary powers and using it as nothing more than a club to beat an opponent leaves the strong impression that the issue is not the issue at all.

Claptrap314 Silver badge

Re: Sounds like typical CoG/ECG stuff to me, and that should scare you

I cannot say that I am a particular fan of Senator Church, or especially of some of the reforms of the intelligence community that were put through on his watch.

The final paragraph demonstrates a lack of understanding regarding what the millions of persons mentioned would do when faced with orders directly violating their oaths of service. After all, "just following orders" was an issue ALSO deal with in "recent history."

But that doesn't mean that he was wrong with the rest of what he is saying.

Claptrap314 Silver badge

Re: The ultimate authority

After the recent strike in Iraq, I did a bit if history diving on the subject. Turns out that there is a history of authorization of force resolutions going back to president John Adams that stopped short of actually declaring war. Which I found shocking.

The 9/12 resolution was in this vein. Moreover, then senate leader Tom Daschle (D) held a press conference immediately afterwards (on the steps of the Senate building) flanked by leaders of both parties, and stated, "This is a declaration of war."

The resolution was horrible policy, in that it gave the president the sole authority to conclude that a party had been involved with the planning or execution of the 9/11 attack, but congress DID authorize it.

Canadian insurer paid for ransomware decryptor. Now it's hunting the scum down

Claptrap314 Silver badge

Re: Danegeld

He was not wrong. He was just pointing out poetically, that to pay Danegeld is to pay tribute--that is, to cease to be an independent sovereignty.

And if you attempt to apply that rule to individuals verses some State, I can assure you that the invading nation is quite capable of taking whatever they please, so you best negotiate your tax lightly.

'Trust no one' is good enough for the X Files but not for software devs: How do you use third-party libs and stay secure, experts mull on stage

Claptrap314 Silver badge

Re: Unless

Minix? Is that one of those high-level things you call an operating system? We were discussing slipping surveillance capabilities into a CPU. I make no representations regarding software.

Claptrap314 Silver badge

Re: Unless

Remember that analyst report a few months back about a motherboard manufacture supposedly slipping in a chip the size of a grain of rice onto a motherboard that could snoop traffic & phone it home? EVERYONE who had worked at that level knew it was crocked.

This fear is another iteration of that same problem. Internally, microprocessors are almost exactly like motherboards, except for the scales and relative sizes of the components are different. All of the problems regarding bus size, bandwidth, performance, and, yes, validation, applies. You try to do something sneaky, and you are going to kill performance of that part of the system. You are going to add load to the power and clock lines.

Even if there is one "senior architect" for the project who theoretically could modify the spec appropriately, they do not work on their own. They have a team that they work with--and EVERYONE on that team is going to see the big, flashing, "SEEKRIT--DON'T LOOK" sign. The permanent damage to the company reputation when word gets out is too much for even an SVP to ignore.

Notice I mentioned the folks that design their own chips. An SoC vendor typically uses macros from another supplier. Those macros are black boxes.

Claptrap314 Silver badge

Re: It's actually not that hard

I think your instincts are good, but perhaps your experience is narrow.

Yes, there has been a colorful history of complex formats leading to security issues. However, at least one defense is to use a well-vetted library to do the serializing & deserializing. In that regard, JSON is the standard choice precisely because such libraries are available, well, everywhere.

Parsing fails inevitably occur around corner cases. These cases typically occur either where the original design failed to account for something, or where the original design was found to be lacking, and the modification to accommodate the new requirement violated an assumption in the original design that was either forgotten or never communicated.

Homespun solutions, including scanf, start out looking great until it becomes necessary to accommodate some new class of data.

After the Rails YAML fiasco, (https://www.theregister.co.uk/2013/01/10/ruby_on_rails_security_vuln/) I've put a LOT of thought into a general, efficient, language independent, safe object serializer. I can assure you, it is hard.

Claptrap314 Silver badge

Don't even do that. You can publish it with out licensing. And by that, I mean you explicitly state in the LICENSE file that personal approval is required to run the code.

If you state that you are doing it because you don't trust the code, and you don't want it running without a proper security review, it will be clear what kind of person you are...

Claptrap314 Silver badge

Re: Unless

In the Western world, at least, the number of people involved in architecting, designing and validating microprocessors (at least, at AMD, IBM, and Intel) is simply too large for any deliberate back dooring of these chips to be hidden.

If you think that the software security folks sound like extremists on this account, try talking to the hardware folks.

The engineers are very, very serious about meeting the specs, including the published security models. (And the same goes for at least the bottom couple of layers of management.)

I've seen a line stoppage caused by a power line coupling to an address line. The tolerances in the system are too tight. They have a hard enough time meeting that target without trying to slip in some idiotic back door system.

Cache flow problems continue for Intel: Yet more data-leaking processor design blunders discovered, patches due soon

Claptrap314 Silver badge

You keep making me defend bad behavior

Certainly, in isolation, these issues border on NBD. OTOH, Intel has a long history (FP divide?) that stretches to the present of not fixing anything until it was unable to bear the media heat. Given that one of these issues is "Hey, that thing you said you fixed six months ago? You lied.", I believe that making a circus of things is pretty well demonstrated to be the ONLY way to get Intel to seriously address issues.

Intel created this environment. The rest of the industry is responding to it.

Claptrap314 Silver badge

Re: Won't someone think of the Reviewers!

I spent a decade doing microprocessor validation at AMD & IBM, 1996-2006.

Of course, security is a multi-layered beauty, but there are entire classes of hardware issues that no amount of software can mitigate. (Unless the software disables the relevant hardware feature--which is not always possible.)

Meltdown is an entirely different class of fail from Spectre, which is why Meltdown is Intel specific. Very annoying that they've not been willing to fix it. (And I use this language deliberately. The techies have had plenty of time to figure out what options will properly close this off. It's the VPs not wanting to take the hit that are the problem.)

Spectre-class leaks cannot be software mitigated without turning off speculative execution in current hardware. Full stop. You could design an architecture that had a speculative cache buffer (for EVERY level and type of cache). It would be complicated, but it would deal with Spectre-class issues.

Timing attacks on the execution buffers is a different thing. If the attacker controls all but one of the hardware threads, it is game over. So, two-threaded processors are particularly vulnerable on that account. With four threads, the OS could prevent any process from having multiple threads on a core to protect sensitive computations, or only permit threads from one process per core.

Cache-flush timing attacks are really ugly, as the entire point of a cache is to speed execution. There might be something that could be done with orphan buffers, but in the worst case, the OS would have to only permit threads from a single process to execute at once, and to flush the caches between process switches.

Teenagers today. Can't take them anywhere, eh? 18-year-old kid accused of $50m SIM-swap cryptocurrency heist

Claptrap314 Silver badge

https://www.openssh.com/

Take DOS, stir in some Netware, add a bit of Windows and... it's ALIIIIVE!

Claptrap314 Silver badge

Not if they had an Amiga...

Windows takes a tumble in the land of the Big Mac and Bacon Double Cheeseburger

Claptrap314 Silver badge

Re: Wash your hands

If the place has paper towels, grab a clean one on the way out & use it to open the door. If there is no trash can nearby, drop it by the door.

You will be amazed how quickly a trashcan appears near the door when you do that.

If there are no paper towels, and the door opens inward, things can be more interesting. Some places have a kicker that can be used to open the door with your foot. Good if you wear closed shoes--I doubt the ladies have to do that. I have been known to reach through my shirt in extremis. If this is where you work, a complaint to facilities seems to work quite well. If it is another place you frequent, a (polite if humorous) complaint to the manager is often quite effective.

Accounting expert told judge Autonomy was wrong not to disclose hardware sales

Claptrap314 Silver badge

No really, we don't. Not the 99% of us whose wealth is STILL greater than what 99% of humanity has ever dreamed of.

Certainly, there are always some $$$$$$$ out there, but no.

Claptrap314 Silver badge

Re: Auditors....

But that's not "covered" in stickers...

Cisco Webex bug allowed anyone to join a password-protected meeting

Claptrap314 Silver badge

Re: TLA

And I would say the same thing about any corporation. What is your point?

Because Monday mornings just aren't annoying enough: Google Drive takes a dive and knocks out G Suite

Claptrap314 Silver badge

Curious

What percentage of users were affected? Also, how long since GDrives' latest outage?

Certainly, it sucks to loose access to data for (up to) an hour, but it's not clear to me that this should even be counted as a fail.

NO system is fail-proof. You make business decisions regarding acceptable business risks, and the costs needed to achieve that. If G's engineering beats what you can do in-house, go with G. If not, don't.

Of course, if you never sat down to figure out your business risks in the first place, there is no helping you.

Virtual reality is a bonkers fad that no one takes seriously but anyway, here's someone to tell us to worry about hackers

Claptrap314 Silver badge

I just want Disc of Tron

That game was practically designed for VR...

The duke of URL: Zoom meetups' info leaked out through eavesdrop hole

Claptrap314 Silver badge

Make it so they can't get in, and you cannot get out.

I'm embarrassed that the penny did not drop for me on this one. If they were using 64-bit ids, the hit rate would be in the dirt. If they force them to rotate every month or so, even found valid ids would not last. Now, everything requires a password. How many of those will be '123'?

The password to a meeting is nothing more and nothing less than an unstructured extension to the meeting id. Pretending otherwise will not improve the situation.

Over the Moon? Not quite: NASA boss has a good whinge about 'counterproductive' Authorization Bill

Claptrap314 Silver badge

NASA was alway about politics

Remember that president Kennedy's science adviser agreed to support the Apollo program on the condition that he NOT say that the reason for the program was science? The $250M handshake was perhaps as pure an example of this as possible, although the ISS makes a decent showing.

It's hard to know which are the street walkers and which are the Johns in this picture: the politicians whose job it is to raid the federal treasury on behalf of their constituents, or the bureaucrats who are on a mission from God to have an endless, ever-growing, unaccountable stream of money from that same treasury.

The Apollo program spawned a generation of dreamers (including myself), and spun off some neat technologies, but with the commercialization of space well underway, national pride is the only cause for government-driven "research" in this field to exist at all. Now that we finally have a space force coming online, even the not-military (oh, no, not at all!) reasons to keep NASA around are gone.

But whom am I kidding. Nothing is so close to immortal as a government program.

IoT security? We've heard of it, says UK.gov waving new regs

Claptrap314 Silver badge

Re: "It will mean robust security standards"

How about, "Think of the children's privacy?"

I do think this one is usable. We've already got enough horror stories out there that a competent politician can ride this issue.

Google halts paid-for Chrome extension updates amid fraud surge: Web Store in lockdown 'due to the scale of abuse'

Claptrap314 Silver badge

Re: Appstore KYC

Nah, that would require human interaction, you see...

If you never thought you'd hear a Microsoftie tell you to stop using Internet Explorer, lap it up: 'I beg you, let it retire to great bitbucket in the sky'

Claptrap314 Silver badge

Re: Just as soon as you release a stable alternative...

I'm not a front end developer, so I'm not going to say that these sites are necessarily garbage. I'm saying that they are garbage. Maybe they are okay in a tablet or idiot phone, but I run in a desktop. I also run uMatrix as a security precaution. (Never mind tracking.)

I can assure you that these "responsive" sites are utterly reliant on javascript (mostly imported). Seriously, check out one of your "responsive" sights with noscript--they are utter garbage, and tend to be nonfunctional.

Yeah, tables aren't supposed to be used for layout. Fine. But if you use them for layout, you get a far more consistent and predicable response so long as the table fits on the width of the page. I know that's an unacceptable limitation for the cool kids. Sorry, I've never been cool.

Loading a new we page would not be nearly so onerous if it did not involve loading megs of scripts. Scripts that implement responsive design. Responsive design has thus become its own justification.

Claptrap314 Silver badge
Pint

Re: Just as soon as you release a stable alternative...

"all the electrons rolled onto the floor and died laughing"

Wow. That's a line I'm definitely taking. Payment on the right.

One-time Brexit Secretary David Davis demands Mike Lynch's extradition to US be halted

Claptrap314 Silver badge

Differences in law

I've not followed this case closely, but my understanding is that Lynch is suspected of performing actions which do not violate securities laws in the UK but which do in the US. Which is why there is a civil case in the UK but a potential criminal one in the US.

As for fairness, US juries have become increasingly suspect of the government. Even with a biased judge, "innocent until proven (beyond reasonable doubt) guilty" is hammered into us until it is practically in our genes. (And we appreciate that from you Left Pondians, btw.)

Combined with the fact that he will doubtlessly have a high-powered defense attorney, and yes, I do have confidence that his chances of a fair trial are quite good.

If he looks for a plea, that's another matter. Unfortunately, a federal district attorney can be motivated to drive a hard or lenient bargain for various reasons.

Amazing peer-reviewed AI bots that predict premature births were too good to be true: Flawed testing bumped accuracy from 50% to 90%+

Claptrap314 Silver badge

It's called "motivated reasoning". These "academics" needs publish or perish, and a null result for your efforts doesn't read very well.

Well, well, well. Internet-of-Things speaker biz Sonos to continue some software support for legacy kit after all

Claptrap314 Silver badge

Re: Drop support, make it open source

That's a huge security risk for their non-techie customers.

With the code base in the open, bad actors can scour it for vulnerabilities to the latest cracks. These bad actors will not be publishing the results of their work, the will be weaponizing it.

There is no reason to even expect that a coherent community would develop around such code, so even for the techies, security fixes from the common repo are far less likely that for an ex-nilo software project.

Hapless AWS engineer spilled passwords, keys, confidential internal training info, customer messages on public GitHub

Claptrap314 Silver badge

You need a better story

The simplest story is that someone put their home directory into git. Either to facilitate a migration between computers, or to facilitate data access.

I've only heard about such things from techies. I really, really doubt marketers would have the wherewith to do such a thing.

So--someone puts their homedir into git, then realizes that they need to push the data somewhere so that they can grab it from outside the company.

Whoops. Github repos are public by default.

So yes, no customer data impact. Limited Amazon corporate data leak. Significant Amazon data leak relative to the individual. Huge personal data leak for the individual.

Claptrap314 Silver badge

Re: Engineer ?

About such things, I tend to respond, "My ancestors left there 150 years ago for a reason."

In the US, there have been lawsuits over these. The first amendment just keeps winning.

Now, I would never condone someone representing themselves as a Professional Engineer who lacked the credentials. I would never fail to mock someone would hired a "Professional Engineer" without checking credentials.

The professions of PE and MD differ dramatically. The customer of an MD is typically an individual of average intelligence with no knowledge of the profession, and who is somewhat stessed. If challenged, even with the help of the InterTubes, they would be unable to check the credentials of the MD.

The customer of a PE is a business or a government, generally working through some sort of bidding process. The person doing so has as their job description to validate the quality of the bids.

Of course, I charged my engineering calculus students 10 points out of 10 for sign errors--I don't want bridges built with gravity going the wrong way.

Still losing sleep over that awful Citrix bug? This scanner is here to help... you realize you've already been pwned

Claptrap314 Silver badge

Re: this is a good bug

I was in an interview last week for the first time I said, "With your workloads, you should be aware that you don't need to defend against Spectre if all of the code on a box is yours." The response? "Yes, and we don't."

I do hope they make an offer.

Ooh, watch out Google. You've got competition. Verizon has a new 'privacy-focused' search engine

Claptrap314 Silver badge

Missing a comma

"The move highlights that companies are beginning to take privacy, seriously."

FIFY

Safari's Intelligent Tracking Protection is misspelled, says Google: It should be Dumb Browser Stalking Enabler

Claptrap314 Silver badge

When Google tells me something can be used to track me across the web..

I believe them.

It's when they tell me that they are concerned about my privacy that I parse things carefully--and still don't trust a word of it.

Remember that Sonos speaker you bought a few years back that works perfectly? It's about to be screwed for... reasons

Claptrap314 Silver badge

Sympathy for the Devil

I interviewed with Sonos about three years ago. Their head of security was one of the people I talked to.

There original hardware had as it security model...not connected to other computers. Their next generation modeled LAN connections. Guess how much of their original hardware is on the internet?

The older stuff lacks the computational power to support modern basic security. And the trend is such that this statement is going to remain true as we update our concept of "modern basic security" forces us to expand our concept of "older stuff". They might actually be facing GDPR issues if they don't push users away from using older stuff. I cannot blame them for wanting to cut off security updates for their older kit--it might well not be possible to keep them flowing.

It seems to me that the only responsible solution is to have an easy-to-swap module that contains all of the processing hardware and the external jacks. When a given module is no longer able to keep up, they can sell a new one for a reasonable price. I'm not in the business, but I cannot really imagine any other way to create IoST devices (yeah...the 'S' is for Security). Nobody was even starting to think in these terms 10-15 years ago.

Microsoft boffin inadvertently highlights .NET image woes by running C# on Windows 3.11

Claptrap314 Silver badge

Six months in C# Hell

I was hired at a place a year ago. After a reorg, I was thrown out of OSS world and into the pit of m$.

Prior to this, I had heard that C# and Active Directory were the two things that m$ got right. My opinion of the person that said this has been adjusted.

1) Documentation links were broken. Those that were not were often out of date (that is--WRONG). No appealing to source to figure out what was actually going on. I ending up black-boxing built in classes.

2) Tooling which, besides not matching the documentation, produced results which were unusable in a way which could not be corrected by scripting. Basically, the results were hints as to what might actual be usable following more black-box exploration.

3) Built in classes that throw exceptions when an array is empty.

4) Built in threading support where the m$-recommended usages is not thread safe.

As for Visual Studio...

1) Who in the !@#$ was the #$%^&*! that signed of on a %^&*!@# IDE that has to run as root?

2) How in the &*^% did anyone approve an IDE that updating required a *&^%$#@ reboot?

That's not even touching the daily usability issues, such as the contradictory terms used for the same thing in various places, the apparently arbitrary divisions and grouping of features, or the sheer impossibility of doing certain common tasks inside the tool.

Of course, if SO is a bad joke in the OSS world, the m$ stuff is truly macabre. The eighth- or ninth-ranked answer was routinely the one that technically would work. Not that I would actually pollute my code with the garbage, mind you. But it would function.

Claptrap314 Silver badge

Re: 32 bit processors were common from 1985

It's desirable for the ad-flingers, ie: everyone's true customers.

WindiLeaks: 250 million Microsoft customer support records dating back to 2005 exposed to open internet

Claptrap314 Silver badge

Re: Only got yourself to blame, Microsoft

And yet...Azure is gaining ground on AWS. SML

No backdoors needed: Apple ditched plans to fully encrypt iCloud backups after heavy pressure from FBI – claim

Claptrap314 Silver badge

Re: TL;DR - don't trust any encryption you didn't write.

OpenPGP is not middle ground. Unless you are a literal tin-foil hatter. (https://www.youtube.com/watch?v=urglg3WimHA) OpenPGP is the sort of project almost custom-made for the open source movement. LOTS of attention from good crypto people & top-notch programmers from many (non-cooperating) jurisdictions.

For OpenPGP, it is the end user which is the weakest link. Always.

Apple calls BS on FBI, AG: We're totally not dragging our feet in murder probe iPhone decryption. PS: No backdoors

Claptrap314 Silver badge

Re: Am I Stupid or Tired

There were a number of experts offering to crack the phone for free. Some were US-based. That the FBI went with a foreign company to the tune of $1M suggests strongly to me that said foreign company had done some favor for the FBI that had not been compensated up to that point.

Apple has been aggressively iterating on its security since then. Specifically, I believe that the publicly suggested hacks have been disabled.