* Posts by Arthur Daily

28 posts • joined 16 Apr 2015

Let's roll the 3d6 dice on today's security drama: Ah, 15, that's LG allegedly hacked, source code stolen by Maze ransomware gang

Arthur Daily

Re: LG Software

Lets see

1) Nothing was 'stolen'

2) Good companies have nothing to hide, and can cope with embarrassment

3) External code reviews do no harm - at least not to LG who have super low market share in the mobile market and have admitted to noncompetitive agreements signed with suppliers, but not disclosed to the relevant authorities.

4) Blackmail is not a problem if you have done nothing wrong

5) It's a company not a person - so hopefully nude selfies are not on the company server

6) Whatever happened occurred on an approved and signed off risk plan - indicating management accepted the risk anyway.

7) May use of lessons learnt - and move on to be better. PR will do the cleaning.

Chips that pass in the night: How risky is RISC-V to Arm, Intel and the others? Very

Arthur Daily

Throughput is what matters

Who said, or measured 2-5%?

All the Intel and Windows software remediations have slowed performace 10-25%, yet expensive per cpu software licences stayed the same. I am not sure what the slowdown did to power consumption. Besides AWS ect choose places where electricity is the cheapest.

The beauty of different chipsets is that reliability is discovered. Intel has so much undocumented junk and bloat - it is time to leave that ship. ARM also caught a cold having copied intels spec execution blob. MIPS is pure, so are some others. But again, no point in moving to a less buggy cpu is the OS has hardcoded x86 ring shit nonsense

Throughput is what matters, and IBM Mainframes on an equal die footing do well, AND have memory guards not available anywhere else.

UK contractors planning 'mass exodus' ahead of IR35 tax clampdown – survey

Arthur Daily

Re: Anonymous Contractor

First off the UK does not want to descend into no permanent jobs as occurs in the Philippines with 'endos'. It was a lurk, and its ending.

Secondly contractors do not do the same job - they rarely teach and pass on knowledge, and mostly withhold important stuff. You would too if you wanted a renewal.

Thirdly the umbrella company solution may not work, or may get hammered, as the intention is clear, and if there is no real independence. See Uber 'tests' in civilised countries not pretending to be blind.

Lastly, there will be a temptation to phoenix umbrella companies(go insolvent/broke then restart) and wipe out monies and benefits owed to employees. As such non-compete or transfer knowledge to rival competitors ENDS. If you sign a secrecy agreement with the client - then IR35 may bounce back.

If you need a security clearance and a .gov pass with defined roles in say SAP, I wonder if IR35 is triggered..

Uncle Sam tells F-35B allies they'll have to fly the things a lot more if they want to help out around South China Sea

Arthur Daily

Amazing how so many people who never saw 'Waterfall' are so expert at bagging it, by implication British SDM which was not so bad. American skunkworks planes were also waterfall - with requirements first.

I'd say waterfall projects fail as the cash burn rate is too high early on. Agile more successful as nobody on the team has seen quality, so sort-of-works is a winner.

Arthur Daily

Re: !!!

The stealth technology is BS. 1/4 wavelength means any UHF radar will see it easy. So the only stealth is angled panels that reflect radar, as long as the frequency is not too low. The Russians do have sets that operate over a wide range, as do the Chinese. Think SS400. Plus if their 5G gets in, there will be an app to detect aircraft - if its not raining.

The Americans assume a saturation cruise missile strike will defang such nasty missile sites so it is safe for the F35 to fly in. Oh wait, the Israelis had some faster jets shot down or shredded, so old assumptions are very suspect. After 2-10 minutes on afterburners, mission survival for the F35 with bays open to vent heat, will be hot targets indeed.

Arthur Daily

British Leyland is in charge of F-35B production line

British Leyland (USA) said to work for 10 hours is a miracle, beating the expecting one sortie and one full overhaul target by spades. Like our cars, each plane is a precision master crafted pride of the factory.

Crypto AG backdooring rumours were true, say German and Swiss news orgs after explosive docs leaked

Arthur Daily

Re: Perhaps I misunderstood but ...

You DONT have to roll your own. WireGuard / Salsa is sufficient if you have good key hygiene.

Paranoid? Other crypto libraries are available. Just make sure you compile SSL and ONLY have three or so algorithms and nothing to fall back to. The three letter mobs have enjoyed complicated protocol fallbacks and defective checksum/certificate checking . Failing that, auto updates can be another way in for difficult punters. Plus horrible 'Management' chips on the motherboards. That screams compromised.

Plus the IOT thing means you can impose a raspberry PI as a pass through router/encryption box with keys on USB sticks that NEVER touch your main computer. But if paranoid, compile a passthrough on an obsolete CPU type with no baggage, no onboard bootstraps, and no cpu buffer speculative execution leaks such as MIPS.

Then get a zener diode and a transistor and generate lots of random noise, and pretend to swap torrents. If you buy off the shelf, all bets are off.

From WordPad to WordAds: Microsoft caught sneaking nagging Office promos into venerable text editor beta

Arthur Daily

There is no reason why GCHQ (or any foreign government) or the like cannot issue a path to remove data exfiltration activity in the name of national security.

Any decent system programmer could do a binary compare on the two versions and document settings of interest for a howto.

Any excess effort is a CLIMATE CHANGE, as wasteful processing power and electricity is squandered on unsolicited electronic intrusions. Trust Microsoft to find new ways of adding more C02 to the worlds problems.

Academics call for UK's Computer Misuse Act 1990 to be reformed

Arthur Daily

Let the punishment fit the crime comes close. Fines for civil misdemeanour's need to be added to remove matters that do not belong under criminal matters.

The original drafting was deliberately penned wide so DPP's job was easier, and because defence clauses would be complicated in an international setting. Most importantly contributory negligence needs to explicitly added for the defence. Yes a rewrite is needed, but they won't because Assauge cases need excuses for easy extradition. We already know UK law does not measure up to the more honourable and honest EU standards.

The Year Of Linux On The Desktop – at last! Windows Subsystem for Linux 2 brings the Linux kernel into Windows

Arthur Daily

Re: MS SOP: Embrace, Extend, Extinguish.

Leading businesses and enterprises who understand absolute cost control and value their market share will never touch any service that can steal their trade or profitability secrets.Azure's winning formula is an economic rent model tuned to consultancy advisors to recommend simple solutions to simpleton executives who seek shelter in the 'me too' club. Natuarlly a higher cost base will

see most fall to mean and lean ICT leaders not stuck in old world 'sales channels'.

Azure's second advantage is enabling shadow IT to suck regular IT budgets, and allow rouge executives to bignote themselves. New cost centres allow any proposal to work on paper and get the tick of somebody. All those idle phantom instances cost a pretty penny.

BAU Run time costs are about 5%. Development and forced upgrade cycles are 95% of the ICT budget. So mature business's that jump to value added services and rental models, while sacrificing privacy, are both desperate and capital shy. Possibly transitioning to a labour hire model, where skilled employees are a technical liability.

Boeing is well past the Azure stage. They went straight to 'You write this stuff' and we will pay you some ongoing forever percentage padded onto the buyers tab. MCAS - so successful, and gets rid of the 95% development overheads. Lead or follow - pick one.

HPE goes on the warpath, attacks AWS over vendor lock-in

Arthur Daily

Re: He has a point

The definition of a cloud used to be 'No lock-in' in the official govt tendering rulebook. You could more to another one in just like that. Vendors and CRM marketing droids have perverted that definition. The worst perversion is the 10 Year! deal awarded to Microsoft over AWS. It sure looks like hire-purchase or leaseback.

Arthur Daily

Re: What lunch?

Most companies out there see IT as being an unwanted stepchild that they, until now, had to care for.

Well, the stupid ones might. For some business their data IS their only business. A Cloudtastrophie in the making.

I don't see Walmart placing their sales and inventory online for Amazon to either dump, read, or somehow exploit. Lawyers can legitimize the data theft later. One believes Boeing placed their data in an online cloud, and the inability to hide smoking guns and internal emails - well not good. Tobacco and vaping purveyors probably truly know the risks.

Down the line the IRS will be trolling not only the company, but probably their legal council communications that are neither private nor safe from internal trusted executives claiming a reward after their golden parachute.

Thirdly remote access is a two sided coin. You are a fool if you believe the risk is low. As AWS usually keeps three copies of data, if you do a secure wipe - how long does that operation take to percolate over all backups and archived storage?

Sure, some will go for the short term win. The cause of this data migration was caused by vendors charging unsubstainable inflated retail plus plus for a range of software must haves. AWS got a bulk purchase rate, and passed it on, until say MS pulled the pin - so the 'savings' have evaporated. While others not picking bespoke clouds with NO breakins or leaks or operating beyond the law VPN services.

We're free in 3... 2... 1! Amazon unhooks its last Oracle database, nothing breaks and life goes on

Arthur Daily

Choose your DB Carefully - Evaluation Matrix

Old school guy here. Once upon a time we did software product evaluation matrixes that included technical support, cost of ownership(including testing environments) and vendor pricing reputation.

Experienced hands made few mistakes. Nowadays management sorts use Magic Circle Gartner reports to pick winners - or have some consultancy to make a recommendation - that had no financial consequences for them. Maybe only Walmart and Amazon fire those responsible for negative ROI outcomes.

Then Microsoft invented TOC, only cost of ownership, that never included yearly licence fee hikes, and optimum factors that worked for their marketing hype. But experienced evaluation people got the flick, as salesdroids targeted the decision makers with a budget. Game over.

Then Adabas/Natural DB started to Oracle their remaining declining customer base. One manager coined the expression bushranger tactics. IBM Mainframe users were astounded by vendor aggression. Most never bickered over price increases, when capacity management experts were made redundant.

Back to Oracle. Their tools for emergencies and business restoration were bullet proof. That won them business over DB2. People buying MS SQL Server never thought that far ahead. Then Oracle stated to do a Software AG trick - antagonise their reference sites.

Then came the Cloud - AWS and Cloudtastrophies. My tip to new players is never buy a product that allows auditors to set foot on site or steal your usage numbers. Greed never changes, so pick solutions where blackmail is less likely. OpenSource spinoffs are reliable enough.

If vendors won't licence or work with AWS, avoid them and pick another.

German ministry hellbent on taking back control of 'digital sovereignty', cutting dependency on Microsoft

Arthur Daily

Re: Do you want to be held hostage by Microsoft?

And now the firmware has been hacked, exposing new tweaks.

1) No TP security updates - old machines more than 3 years - tough titty, no vendor updates as if BIOS updates were bad enough.

2) Circular Keyboard/Mouse drivers - Windows 10 insists on NOT loading keyboard drivers but using say synaptics driver in the UEFI jungle. I now don't trust that device or enforced must use policy.

3) InSnide UEFI transmitting WiFi shit before the PC Boots.

I believe China is now getting the sovereign risk message, and seeking to remove binary blobs and key dependencies. It is possible for the US to disable most Chinese produced devices on demand.

Or a bad actor to disable via a remote connection, lots of things. Say voting machines, and voting apps. But so far both countries are keeping such baked in dependencies.

We checked and yup, it's no longer 2001. And yet you can pwn a Windows box via Notepad.exe

Arthur Daily

Re: "buried in Windows since the days of WinXP"

Remember GCHQ and other security organisations giving Windows Evaluated product status EAL ratings for the Military/Govt etc?

Well it seems every bloody text field was nickable, and probably not xor'ed out letting it be hoovered up by something else. Its great news for the next Snowden or Assage or Manning. I doubt this has been patched everywhere and I doubt sensitive text boxes have not been wrapped up, by poorly written apps. IBM mainframe has memory keys and storage pools - so not nickable. I bet this breaks screen scraping and disability/Blind applications as well.

Hope to keep your H-1B visa? Don't become a QA analyst. Uncle Sam's not buying it: Techie's new job role rejected

Arthur Daily

Anything longer than 3 years is not short term. In 4 years there should be a local replacement trained up for succession, unless they fit into IQ over 140, top 1%ers by commanding more than $120K PA.

Arthur Daily

Re: Not *entirely* unreasonable?

And in xx years they found no better local talent. The decision to spill the visa, and open the new position to market testing was correct. One suspects the role had changed for a while and went undetected. Go back and fine the firm.

The firm made the mistake of not writing in things like 'knowledge of internal corporate qa, and being able to do so at speed' Apply judgement of QA using corporate knowledge'. Perhaps the USA rightly bans tailor written job applications that only one person in the world will meet.

California's politicians rush to gut internet privacy law with pro-tech giant amendments

Arthur Daily

Privacy workarounds

Privacy means you having control, and being able to revoke private information.

Profits means having the dirt, and leverage on everything you can swipe legally

There are in comflict, but I bet profit, and pay lobbyists what the want wins.

Governments need more tax. The solution is to tax personal information holders, and tax thse with monopoly share.

Qualcomm fined €242m over 'predatory pricing' that helped to knock off British competitor Icera

Arthur Daily

Laws are made for an outcome. Fair and transparent fit in there somewhere.

While the rebate/secret commission/backhander/ tied contract/volume pricing whatever may have been legal, these tricks, along with others (export income non taxable if usa co) and patent cross licencing? the net effect is/does kill off competition. I think AMD once discovered

Most EU/UK laws fail. The American lawyers run rings around you. You need to tax imports that have non-transparent manufacturing elements hard.

USA is now banning Huawei, because they don't like their own brand of commercial medicine.

Did you know?! Ghidra, the NSA's open-sourced decompiler toolkit, is ancient Norse for 'No backdoors, we swear!'

Arthur Daily

Re: Gift Horse...

Not needed.

What is missing is a hardware grab tool, where all memory can be discovered and dumped, and bootloaders detected and some automation to unpack compressed or obscured blobs.

That is a big hurdle.

So everyone can unlock bootloaders and replace compromised certificates, when the vendors abandon product. The choices seem heavy for CPU's, and light for microprocessors such as in graphic cards and disk drives.

With other options out there, this is harmless, and not increasing ease of discovery.

Arthur Daily

Re: Perhaps they have moved on

See Intels pre-execution pipeline hack (Not bug, because they knew and picked good-enough).

Made its way into Intel chips, AMD, ARM and IBM chips. Just two makers of modem chips, both with onboard processors. Rather than correct the hardware, secret inefficient software semi-fixes are being chunked out. Only Linux people have fessed up into saying software remediation is slower than microcode hobbling). Rather than a fix, Intel is directing resources to encrypted code execution extensions that will make viruses undetectable..

Arthur Daily

Re: why on Earth give this away for free to everyone on the planet

Before Microsoft and the ilk, IBM source code was held by nearly everyone, and control blocks of course. IBM part relied on others to fix their code, and often sent smart ones free gifts or bottles.

Pretty sure ICL, Fujitsu, and DEC/PDP gave out source code. Too young to remember CRAY and CDC. Bottom line was that there were no 'memory leaks' and orphaned junk, and one off errors when real SE's could hunt them down.

Then IBM started covering up control blocks and VSAM, and making source code available to SE's where locked up - just in case the OS went into a deadly embrace /loop that could be fixed on the spot - rather than 2-3 days of no ATM's.

Rolling on - the Atari, TRS80, and AppleII had very tight and efficient code, with chess programs under 1K! Now Microsoft is bloatware riddled with poor coding, unchecked parameters, unchecked recursion, and unreviewed code. If it is done inhouse, you have to wonder from the company that retitled machine attendants to 'systems engineers' .

The UK's Investigatory Powers Act allows the State to tell lies in court

Arthur Daily

Re: Reasonable Doubt

Kim Dot Com appears to have this problem in NZ.

A poisoned Forrest of illegally obtained evidence if being accepted. Add to that fabricated charges that do not exist in NZ. Like in Rainbow Warrior, maybe deals struck on a wink and nod

Australian Information Industries Association*: you're not the future of democracy, so please shut up

Arthur Daily

This is Either or OR, so you always have the option of a physical paper.

The 2nd requirement must vote from a mobile phone in your name.

3rd. You have a MyGov account and given electronic consent through it OR a setting that says 'refuse electronic vote' which is the default setting .

4th. It must be cheaper and must be open source and must be independently verified by many. There is free software - thinking Brazil .

5th Any cast vote comes with a reply SMS and optionally a confirmation magic number

6) A 2nd app is sent out weeks before allowing you to practice vote and get a magic number that will depend on a second number you input when you vote.

7) Thus any tampering or MITM attacks has a high probability of being picked up.

8) For the paranoid - voting boxes and tally on paper tampering has been known to happen.

9) So a voting SMS message that says 'You voted, your checksum is xxxxxx '

10) leaving you phone lying around and your partner voting will not work.

11) Extend voting vindow for electronic method

13 This translates to barcodes and 2 large prime numbers.

Australia cracks tech giants' tax dodge code

Arthur Daily

Re: why should the coumtry in which the item is sold enjoy the biggest tax 'take'?

Well, the US has a 19% max for overseas revenue not booked home.

Singapore / HK around 15%

Money into Ireland goes out without Ireland's tax take, due to other tax treaties.

And besides price transfer schemes and arms length transactions are illegal, to the extent that complicated shamming and diversion cannot be proven in a court of law.

The solution is a 15% withholding tax increasing 2% every year if not claimed, or import duty re-introduced at a level to discourage this.

Assange™ celebrates third year in Ecuadorian embassy broom closet

Arthur Daily

If the Swedes actually do believe in Justice, after 4 years - one year more, they should simply declare him guilty, declare 'time served in full' and cancel the extradition order. Petty, vindictive and wasteful of resources is how it looks. The reasonable man test says there is something else going on, and that British justice is looking crook and bent.

Amazon: DROP DATABASE Oracle; INSERT our new fast cheap MySQL clone

Arthur Daily

People do not get what they pay for. They get a rosy glow from buying market leader and brandname, and rarely screw down perpetual outgoings. If you don't mind privacy concerns, then cloud is the way to go. Vendors have been charging murder, for products in limbo. Sometimes they need to be shown the door. Amazon is selling the door (as are others), and brandname vendors will panic when the skills for painless converts arise.

Android lands on Microsoft's money-machine island fortress

Arthur Daily

How to select

The banks or NCR's logic is confused. BSD will be stronger - thinking OpenBSD.

OTOH Google is paying big bucks and rewards for security holes to be patched and is rapidly overtaking Microsoft in the security/trust area. So looking ahead 10 years, Google will win, and have all those facebook capabilites and facial recognition for nix!

Google and Android is the right choice, and MS is going to have fewer cash cows. The other option is to run the Microsoft ATM software in the cloud, and hope some hacker does not embellish the protocol to eject all notes. Right choice.


Biting the hand that feeds IT © 1998–2020