* Posts by TFL

35 publicly visible posts • joined 5 Jan 2016

New year, new bug – rivalry between devs led to a deep-code disaster


Re: Amiga pedantry. Sorry.

The 68010 was a simple drop-in replacement for the original 68000 CPU, though it didn't buy you much. As you note, no MMU, no math co-processor. I'd done the same with my A500.

One company made some neat add-ons, such as an IDE drive controller that would fit in the A500! Little daughter board under the CPU, plugged into the CPU socket, with the IDE ribbon connector beside.

Scribbling limits in free version of Evernote set to test users' patience


Re: Joplin

Joplin also allows you to self-host your data, rather than forcing you to allow someone else's grubby mitts on your non-encrypted data.

Works great with Nextcloud!

My God, it's full of tabs: Vivaldi's coolest new features shine on phones and cars


Re: Autoplay blocking

I'm not sure if it's a Firefox built-in feature, but I don't generally have any videos play by default.

So it can definitely work, albeit one of those things where I'd have to look around to tell you _how_. One anecdatum, anyway.

Sysadmin infected bank with 'alien virus' that sucked CPUs dry


It was to save the hardware, honest!

A gaggle of us at one workplace got into the whole SETI thing for a bit,easy enough since we had full access on our workstations.

There was a Windows admin guy who started to get persnickety about it, not there was a policy against it. He was well-meaning enough, but not too bright.

One of our more creative engineer-types came up with the idea that running the SETI client was actually beneficial for the hardware longevity, because it reduced the physical expansion and contraction in the CPU due to thermal cycling. Brilliant!

Dev's code manages to topple Microsoft's mighty SharePoint


I worked for a company that used a terrible issue-tracking system. I've probably blocked the memories of what made it terrible, but finally, it seemed likely to go away.

It fell over completely one day, and a wag noted that the ticket ID numbers had been approaching a bit under 33000. Yep, turns out they'd used a signed, 16-bit integer for the ticket ID. I thought for sure that we were finally rid of it, but sadly, they fixed that issue.

An early crack at network management with an unfortunate logfile


Re: Safely raising eyebrows

The proper measurement is, "WTFs per minute". Per https://www.osnews.com/story/19266/wtfsm/

Epson payments snafu leaves subscribers unable to print


Next from Cory Doctorow

"Unauthorized Ink"

Couchbase promises P2P sync in mobile and edge DB


Re: Locked In!!! Surely Not!!!!

I'm more familiar with the open source Apache CouchDB project, but think the ideas are similar enough to hazard a guess at how it would work.

Mobile clients would likely connect to a central server, which could be self-hosted somewhere. Watch for updates, and sync up any new items from the mobile side, which the central server could then replicate to any other mobile clients.

Couchbase seems to have a bunch of information on their site though, perhaps more useful to read there than make strangely worded implications above.

Also of interest: https://stackoverflow.com/questions/5578608/difference-between-couchdb-and-couchbase

When forgetting to set a password for root is the least of your woes


Re: Nobody told me I wasn't allowed to do it.

The computer store I worked in had Heston. Great guy, but got called "Glitch" because weird crashes just seemed to happen around him. Think he's an engineer now, which must be interesting.

When civilisation ends, a Xenix box will be running a long-forgotten job somewhere


Re: .MRE Lifespan

At my volunteer fire department hall, we recently were able to "dispose" of ancient emergency supplies, presumably cached in case the cold war heated up all the way here on the coast of Canada. Everything had been crated up for nigh on 60 years, still as good as new.

Much of the equipment was aimed at supplying a small field hospital, M*A*S*H-style. Cots, surgical tools, and large tins containing packets of crackers. I volunteered to eat one as a test.... while still technically edible, these never would have been considered "good." They were clearly meant to be standardized carb calories and nothing else, the tin was even labelled as how many calories per packet.

Fatal Attraction: Lovely collection, really, but it does not belong anywhere near magnetic storage media


Re: 3T magnets

I got to tour a research place some years back, where they used MRI and other devices. We didn't have to change clothes, but there was a very detailed going-over for anything metallic, to be left back in the meeting room. "Oh, and please let us know about any medical implants you may have before we go on..."

Hole blasted in Guntrader: UK firearms sales website's CRM database breached, 111,000 users' info spilled online


An iframe? Really?

I would *love* to see how an iframe running on someone else's site could lead to a database on my site getting leaked all over the net.

The likely explanation is a SQL injection on their own site, as someone viewing it in an iframe should not have any extra privileges on the guntrader's own site where the code runs.

1Password unsheathes Rusty key, hopes to unlock Linux Desktop world


Re: Not a fan

Yeah, there is a browser extension as well, that talks to a running instance of KeepassXC.

Apple faces another suit over its allegedly misleading water resistance claims


When it works, it's brilliant.

My son in law fell in our ephemeral (seasonal) pond last year, when the jerry-rigged bridge collapsed.

He couldn't find his phone, figured it was toast.

Once the pond dried up a couple months later, he went and dug it out of the muck. Took a while before the speaker and microphone worked properly, but in the end was usable.

Google engineer urges web devs to step up and secure their code in this data-spilling Spectre-haunted world


Re: CORS and other holes by design

I can't say that I disagree, at least to the extent that this behaviour seems to have become the norm these days.

To the extent that there may be benefits in using some of these other services, could devs not simply white-list only the things that are allowed? Defining these things should be a matter of doing it once (for a site, say), and serving up the expected headers on every damn page as part of whatever templates are used.

While each specified hole adds some element of risk, the process of documenting that arrangement and those risks should suffice with minimal maintenance.

There will be a certain set of marketing folk who will scream bloody murder of course, since they're likely responsible for having dozens of trackers and ads attached to a site, but TFB.

EFF urges Google to ground its FLoC: 'Pro-privacy' third-party cookie replacement not actually great for privacy


Re: Why anyone would install a "browser" on their machine ...

I think there's some benefit in promoting alternatives, including the Chromium-derived ones where it makes sense. For example, I use Vivaldi when I run into sites which seem to demand "Chrome", and it generally works well. For everything else, I still have Firefox as a generally-great default.

Vodafone: Yes, we slurp data on customers' network setups, but we do it for their own good


Assume ISP is hostile, control your own network

My ISP (and employer, as it happens) sees one device attached to the router, and none via Wi-Fi. The one device is a firewall, and all the real stuff is behind that.

Sure, they could run some equivalent of Kismet to see what's around, but it won't tell them too much, and nothing they need to know in order to keep the pipe running.

Beware the trainee with time on his hands and an Acorn manual on his desk


"Net send" vs unprotected X11 defaults

I was on a co-op work term in uni, when I found out that X programs could as easily write on another display as one's own.

A fellow co-op student was parked in the server room of this Canada gov ministry's computer room, so I'd routinely send the nastiest pics to his HP workstation display. Usually strongly unattractive people, sans clothes. Especially due to the lack of privacy, he learned to keep a large window open that he could immediately bring to the front on his screen, then calmly deal with the offender once he was sure nobody was looking.

I'm not Boeing anywhere near that: Coder whizz heads off jumbo-sized maintenance snafu


Re: 767

I lived nearby-ish, in Winnipeg at the time. The news was certainly memorable. A couple things really stood out then, and are mentioned in the article.

- The captain was also an experienced glider pilot, using glider techniques to pull it off.

- Subsequent attempts by others to carry this off in a simulator all failed. Maybe some since, who knows?

Microsoft changes encryption, another D-Link bug, phishing dangers, and more


If D-Link owners are shocked by terrible vulnerability disclosures, I recommend upgrading... to another manufacturer's devices.

Scotiabank slammed for 'muppet-grade security' after internal source code and credentials spill onto open internet


Re: called it

Only if you have JavaScript enabled...

Security? We've heard of it! But why be a party pooper when there's printing to be done


Re: One rule for you...

I used to work for a security consulting company, where government work required quite a bit of physical security. This meant things like proximity cards everywhere, with a man-trap at the main entrance, and cameras covering all but the washrooms. There was also this eerie background mumbling noise from speakers, to make it harder for other building tenants to listen to conversations.

We had a couple fun incidents that come to mind, with being located in the inner city. Once, a couple of inebriated glue-sniffing gents managed to tailgate as far as the man-trap, where they got stuck. No way in or out, no windows, and just enough room for the two of them. Eventually they noticed and used the blue fire-style pull station that was used for emergency egress, while also setting off the alarm. Needless to say, our people had a great time checking out the camera footage later.

A couple others got into a basement break room, since the windows turned out to be not built to spec. The outer glass could be broken of course, but the plastic sheet on the inside could also be pushed in at the bottom to get in and drop down. They proceeded to ransack the place, leaving blood everywhere due to the broken glass on the way in. One was hanging on to the ceiling projector and trying to yank it off, when he saw the camera. They did manage to get out, but it took a while because that plastic sheet had again flexed back into place, not leaving anything to grab it by.

Want a bit of privacy? Got a USB stick? Welcome to TAILS 3.12


Re: frozen-RAM attacks

How often does that get used in practice? Keeping something powered up is certainly a thing if they can do so, but the chilled-RAM would depend on getting access to the innards pretty quickly if the suspect got it powered down fast enough.

I do seem to recall reading about some guy who got raided, who had been using a battery-less laptop in a university somewhere. Don't recall if they got a conviction, but he'd had the cord yanked out before they could stop him.

What the #!/%* is that rogue Raspberry Pi doing plugged into my company's server room, sysadmin despairs


Re: Infosec staff quality

This is something that the group I work with actually has worked out. We're part of a fairly large org, with security people in many roles. Ours is essentially internal consulting, where projects come to us for review. Sometimes even before they've done what they wanted.

PMs are still used to the idea that we approve things, but we don't. We identify risk, document it, and there is a process (still evolving) where this risk is formalized. If needed, the business people are responsible for fixing the problem identified, or accepting the risk.

Spent your week box-ticking? It can't be as bad as the folk at this firm


Re: “were quoted a ridiculous price and told it would take four months”.

Speaking of non-complete clauses, it's amazing what an employer might try to stuff into a contract.

I was working for a company with a detailed, mostly-reasonable personal employment contract. All well and good, but then said company got acquired by a similar org a few provinces to the right.

After mostly dismantling and throwing away the human and intellectual capital, said org sent out new contracts, along with some bit about "please sign by Friday." Where the old contract essentially forbade me from working with competitors (or poaching colleagues or customers) for a year, the new one more or less would block me from working in my entire field for the same period of time. I told them I'd have to review with legal counsel, and did.

Never did sign that contract. They got enough pushback on this tripe that they said they'd re-work it, and then I moved on per the old contract that was still in place.

Don't put the 'd' and second 'i' in IoT: How to secure devices in your biz – belt and braces


Re: Or...

Probably because they're common default ranges, so that barely-configured devices have to be specifically set up to talk on the intended network. If the given ranges are used, the device with next to no configuration might be connected without anyone paying attention or having applied any of the other hardening recommendations.

Mozilla changes Firefox policy from ‘do not track’ to ‘will not track’

Thumb Up

The advantage is that it will be present by default, for all users of the browser. I too load up on ways to eliminate privacy invasions, but most people misunderstand the scope of what is done with their info.

Hacking charge dropped against Nova Scotia teen who slurped public records from the web


However, their behaviour was still re-volting.

MacBook Pro petition begs Apple for total recall of krap keyboards


Re: Useless Apple

Well, I kept a little Windows partition, basically for iTunes and a couple games. The vast majority of the time it's Linux Mint... again, back to having a stronger element of control.

Sure, I could have paid to have the main board replaced on the MBP ($700CAD), right after dropping $300 for the battery replacement that also requires replacing the keyboard, trackpad, and case top. Because you know, gluing it all together is just peachy when one thing goes. The main board is probably mostly-good too, but the charging circuit died. I couldn't even pay for a main board with more soldered-in RAM, because Apple will only do like for like replacement. Yes, I'd be paying for the part, but there is basically an inflated price and then a "discount" unless you get precisely the same part.

If I had had the repair done, it still would have left me with an out-of-warranty, never-upgradeable laptop with some stuck pixels in the display. This new one is warrantied *and* I can get in there myself to do upgrades, imagine that! Oh, and built like a tank.


Re: Useless Apple

Sure, they could make it thicker, upgradeable and all that. Of course, then it's a ThinkPad, which is what replaced my dead MBP. I went the full "mobile workstation" route, with a P50. Multiple drive bays, three empty RAM slots, *lovely* keyboard. I don't give a rat's ass that it's thicker or heavier, it works better.

Oh, and I even found an adapter to take the Apple-specific SSD, to put it into a small enclosure to create effectively a SATA-compatible laptop drive. That's in the ThinkPad now as another 500GB that was just going to sit idle in the dead Mac.

Apple's QWERTY gets dirty, leaving fanbois shirty


Re: This is exactly why I now avoid Apple gear

That extortionate price is due to replacing not just the keyboard, but the other bits that are glued together too. Top case, keyboard, track pad, and battery are probably all together.

I needed a battery replacement on my late-2013 Retina MBP, and that's what got replaced. Then the main board died days later.... so I bought a ThinkPad instead of dropping another $700CAD fixing the Mac. Now I've got an awesome keyboard, parts replacement I can do myself, and in this case, can add RAM and more storage at will.

'Your computer has a virus' cold call con artists on the rise – Microsoft


Re: Re "putting the phone down is almost always the right thing to do."

I got one up to 45 minutes, and thought to record the last half. Escalated through several people, before the last one called me an asshole and hung up.

The approach I took was:

- Attempt to play along on Linux.

- Don't advertise that it's Linux, but would tell them if asked. No one did.

Scotiabank internet whizzkids screw up their HTTPS security certs


Banks and security? Pah!

Try convincing a bank to use two factor authentication. I pestered RBC, all I got back was that they'd cover losses incurred. Not impressed.

Western Digital has cloudified the NAS and shoved it in a trendy box


Re: Deja Vu

Wow, you got an update? (OK, one that was terrible, but I digress). I never did for my My Book, perhaps I bought it too late in its intended product life span. The box still works, but it's always been a shit show for internal VA scans I've run. I think the next will be FreeNAS or something that at least I can support myself.

From Zero to hero: Why mini 'puter Oberon should grab Pi's crown


How about a lisp machine?

I'd love to have turtles all the way down, with all that introspection magic that you have in Common Lisp these days. The RPi and friends won't have hardware help for lisp code, but may be fast enough to get a feel for the idea without buying an expensive, mini-fridge beast on Ebay.

I suppose Squeak is the closest to the idea now for running everything in one image, but implementations such as Clozure Common Lisp do work fine on the Pi.