Posts by Frozit 45 publicly visible posts • joined 27 Jan 2016
Not really sure why or what perceived problem this is solving.
Not trusting the environment that the server is running in. This is not even on my top 10 list of concerns.
Looks to me like someone who has been focusing on the side channel issues with CPUs is trying to make the fact the server is now running in a fixed envinronment is something you seriously care about. Either they are so deep into the issue that they can't see anything else, or it is Intel trying to make new CPU versions "important".
Science Fiction has been exploring all of this for a long time. Which would be part of the problem if you were born after 1980. You haven't read all the scifi literature... (SciFi is the all about exploring what ifs. It is amusing how much computing was predicted, and how much wasn't...)
So, exploring this is good. The same things get invented/discussed over the years, and enhanced with current knowledge. This is how we advance.
When signs blow up, they are of course visible.
But all of these BORKage articles seem to be the low hanging fruit. Like, as IT professionals, are these systems high priority? Or pretty much the lowest priority.
If they fail, the business effect is minimal. To perform maintenance on them can be a pain, they might not even have a remote access connection. So of course they die, eventually.
A system that is not rebooted regularly will eventually experience an outage at an undesired time.
The biggest hurdle is authentication of the voter identity.
This has been solved in the small by entities like banks to some degree. However, how many support calls per day are made for password resets, etc?
And remember, you have to solve this for EVERY voter. Sure, just about everyone here is savvy enough. But you know as well as I do, through the daily issues we deal with, that there exists nothing that solves for the general user.
I have been impressed for the most part in how well the sudden growth in demand has been handled.
If you think about what is actually happening, with everyone at home, it is pretty amazing.
I wonder if we were able to run an experiment of doing this each year in the past, when it would fail. I'm guessing not very far back in time.
The concept of SSO in a business environment works fine.
As a personal choice, it fails. The basic flaw is if you link a bunch of external accounts to Facebook, Google, Microsoft or whatever is that if you lose that account for some reason, you have lost all your accounts.
There is a story about someone losing their Google account because they posted a bunch of smiley's in a Youtube comment. Exactly what was posted is up for debate, but the damage caused way outweighs the supposed crime.
TBH, employee representation on the board of a large company is not a good idea. Certainly not within the current legal framework around boards and board membership.
Having been on boards (of small companies) for the last 20 years, there are things that are discussed at the board level that need to stay within that context and not be known outside of it. An employee representative would be under pressure to break that privacy.
This is like putting a union representative on a board. Brilliant. The union now has information on the other side of agreement negotiations. How well would that work?
I expect to to be flamed for this, but the legal reality is that this would only lead to grief.
so "No geofencing for me" means that you think you should be able to fly your drone anywhere. Like on an airport approach corridor? Remember this the next time you are flying.
And remember this when drones become a restricted item, and you need a license to buy one, etc. Because it is this "the rules don't apply to me" attitude that creates stronger rules.
As the article states, this vulnerability is primarily a shared cloud issue. When the speculative execution engines were designed (circa early 90s), there was no thought or vision that someday we would have the large cloud shared execution hosts that we have today. Once one vulnerability was found, it was pretty clear that there would be others.
To fix this requires a serious redesign of the core CPU engines, which will take years to fully test, then propagate out and replace the existing flawed CPUs.
There was no intentional plan to create this issue, it is mainly a case of changing environments and requirements.
2 years ago it became apparent that my software company didn't understand certs. There was even an internal meme for it.
So, set up an internal CA, ran a couple courses, forced everybody to request certs for their test servers, etc.
It worked, certs are no longer an issue.
Eventually ran into the SAN cert issue with Windows Server 2012 R2 not requesting SAN by default, so ended up making a wild card get out of jail free cert. Which kinda defeated the whole purpose.
However, certs are no longer a meme, or a support issue, so win!
The sad thing is, as a large company, you HAVE to do layoffs. Especially in tech.
Hire 10 people. 2 are top rate, 6 are ok, 2 are terrible.
Who is the most likely to leave? The top 2, and maybe some of the 6.
Who will never leave? The bottom 2.
Hire another 10 people. 2 are top rate, 6 are ok, 2 are terrible.
Rinse, repeat.
If you don't have a house cleaning, you fill up with bottom raters.
Sad, but true.
And given the ability for bad managers to select staff that, uh, fits their views, you have to be shotgun with the house cleaning.
Terrible for the individual, necessary for the whole.
This just sounds like they were on the bleeding edge of email systems, and something was going to die, somewhere.
The fact that they couldn't get a load balancer strong enough to handle their volume tells you something was going to give.
An honest attempt was made to address the issues, and it failed. Meh.
Fundamental theory. Security is built on a "trusted" item. Without that item, you can always break in. And pretty much every computer security item is based on a trust in the hardware. Once you have physical access to the device, the rest is just engineering.
Being a developer of too many years to want to count, this just sounds like the latest bandwagon to hell.
Sure, with the "right people", you can make this work. And those "right people" are the same small selection of people that everybody wants for every one of these bandwagons. Sitting here surrounded by 20+ developers, maybe 3 could make this work. For a while. Maybe.
So the botnet operator would have had signs that someone was taking an interest. As in, that the AVs were hitting its installs more and more frequently. Eventually this kind of operation will cause the operators to run before the takedown happens. But that will likely take a while.
Given that the majority of readers of this forum tend to be sysadmins who enforce rules on users, I find some of the responses to this amusing.
Who says that my password can't be my name, or "password" or... Silly rules getting in my way.
Who says I can't fly my drone into restricted airspace? Silly rules getting in my way.
Quite amusing, tbh.
I have been watching these IBM announcements, and wondering why one would still work there?
Stuff like this makes people leave. The people who leave first are the highest skill workers who can easily find a new job. This is a sliding scale down to the bottom end who will never leave on their own.
So, what is left at IBM? And why?
How do you end a company like IBM? Does it keep getting smaller and smaller, with less and less effect? Sad.
We have, as a civilization, built up a set of laws and rules about how things like stock markets, money lending, etc, should work. It is not perfect, but it does work. Without it, life as you know it would not exist.
Some of the commenters here seem to feel that any thing organized is designed to rip them off. And bitcoin and Tor are completely white as driven snow. Because it fits the uncomplicated, unbalanced views they hold dear.
It would be interesting to see how many bitcoin operations are actually criminal in basis. As in, drugs, or things like card skimmers, or ransomware payoffs, and so on. Personally, I suspect a very large percentage of the transactions are related to that.
So the question is, does the nirvana that Tor and bitcoin are supposed to help create actually exist, or is that nirvana really total criminal anarchy? I personally have not seen any of the nirvana created, but I have seen an awful lot of criminal activity.
The people who support Bitcoin and think its great will defend it to the death, in the face of any logic.
Those of us who look at the world, analyze what is going on, and make decisions based on that, look at bitcoin, look at how it is being used, and put it down on the facts of its behaviour.
Earlier, someone used a "I bought some a while ago, and made a bunch of money off holding it" argument. I agree that you are happy you made some money on it. However, how is that a defence of all the other issues. The reason its value probably went up is because of all the people forced to buy some to pay off their ransomware. So, quite likely, you are enjoying the proceeds of crime, indirectly. Hmm...
is dumb enough to interfere with a plane they are flying on?
Consequence 1: Death
Plane crashes...
Consequence 2: No anonymity
Something obvious happens, authorities are called, they go through the list of passengers, and....
The penalties for interfering with a flight like this would be in the terrorist/hijacker category, with SEVERE penalties.
And yes, there are probably a few idiots that stupid...
I live in Canada. Regularly, during the winter, the temperature in Southern Ontario reaches -30 C. Other places, it gets even colder. And my car stays outside all winter.
Last year I accidentally left a UPS over winter in cold location. In the spring, it no longer worked.
Then, if you consider the other extreme, how hot does the interior of a car get in a southern climate in the sunshine in the summer. Easily +50C or higher.
Manufacturers use the temperature and other environmental ratings of the components to certify their overall rating. If they don't, they are liable for the repairs and other costs if those components fail.
I am amused. The original article referenced programmers who clearly were broken. However, picking on academic fortran, and other code that was written LONG before today's Software Engineering standards were created, and the glorious hardware that we have that allows effectively infinite memory space is quite amusing.
And most academic programmers are self taught. No one teaches software engineering 101 to Physicists. Even though most of their work is simulations...
Think of all the headers in an email. Source and Destination for one. As the article clearly says, they don't need to read the encrypted text, they just want to know that you and your destination are talking.
As it states. If you are using PGP, Tor, or any of a bunch of other things, you are flagged as a person who is possibly interesting. This reduces the subset of search targets immensely.
And if you are only talking to your gran using PGP, and she only talks to you using PGP, they will pretty much ignore you.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
