Posts by sitta_europea

Re: Cynicism is easy

"... It remains to be seen whether its move into "AI" will maintain that reputation."

I'm reminded of some professor and a team of researchers at a place I used to work (Imperial College, London) who for a decade had been hammering away at theories about antibiotic resistance.

They seem to have got there in the end, but this spring they handed the problem to some AI thing, which figured it out in a couple of days.

I think everybody was impressed. Just the difference in the costs would be staggering, never mind the almost incredible speed of such an achievement.

https://www.bbc.co.uk/news/articles/clyz6e9edy3o

Yes, hallucinations are a thing. But we're just starting to crawl with all this stuff, let alone walk.

People who know me will tell you that I'll be the last person they'd expect to embrace the latest fad, whatever it is, but my feeling is that the nay-sayers should couch their pronouncements in very well-considered terms, so as not to look like dinosaurs in a few years' time.

Re: Star Trek tech

"... the amount of energy required to create gravity may well be unfeasibly large."

Not at all. Nowadays we routinely see images from the larger telescopes which demonstrate gravitational lensing.

That's the effect of the gravity of individual photons.

Classically, the gravitational force is G * M1 * M2 / (d*d).

In gravitational lensing, one of M1 and M2 is big - the mass of a galaxy, or a few of them - the other is tiny, the (effective) mass of the photon.

"...suggest "somnolent", which rather accurately describes the current set of Banana Republicans/MAGAts to a tee."

Upvoted for "Banana Republicans". Nice one. The phrase never occurred to me even though for quite a while now I've been saying that the USA seems to be turning into a Banana Republic.

It's not Kg it's kg. It's a curious inconsistency, but there we are.

Re: This is another example of why cyber so-called security is nigh on impossible for average Joe

" ... AV vendors selling products which ... work some of the time ..."

For about the last five years I've been measuring the success of over a dozen vendors at spotting malware in our incoming email.

The way it works is that when my own software spots something dangerous, it sends it to one of the multi-vendor scanning sites and logs the results.

I manually check every result.

From just under 8500 tests since early 2021 here are the bald, rough, average percentage success results:

% VENDOR

------------------------------------

83.6 fortinet.com

80.3 cyren.com

76.3 avast.com

71.0 gdatasoftware.com

66.9 kaspersky.com

65.1 bitdefender.com

64.9 escanav.com

60.9 ikarussecurity.com

59.0 sophos.com

51.0 f-secure.com

45.3 drweb.com

43.8 eset.com

17.6 anti-virus.by

13.5 k7computing.com

5.9 f-prot.com

4.3 trendmicro.com

3.8 clamav.net

These results do mask some changes - for example Avast seems to have improved considerably this year - but as you can see, even the best aren't nearly good enough and everything else ranges from mediocre (missing around one in six) to pretty much hopeless in my view (rather worse than missing 19 out of 20). They also show results for pretty basic installations, it's possible to get better results from anything with a bit of (significant, diligent and non-trivial) work.

Despite what the banks, the health services and our governments will try to tell us, if We The People use consumer-grade computing there is no realistic way that we can properly protect ourselves from these threats. Using hardware and software which is far removed from consumer-grade, I protect my nearest and dearest, my own business, and a couple of other businesses. AFAICT more or less everybody else is at great risk - as the pages of El Reg bear witness.

Even with the huge amount of effort that I put into security, I can't give any guarantees. I have never used Internet banking. Given my age, it seems likely that I never will.

Re: modifying ROM

"In the article it refers to modifying rom. That shouldn't be possible. ... "

Obviously, by definition ROM can't be written.

Clearly they're calling it ROM when is isn't, in fact, ROM at all.

I live in hope of one day meeting the genius who decided that it was a good idea to make what should have been ROM writeable without *also* adding a DIP switch - or even a jumper - to the board.

Re: Secure file transfers using browser-based admin interface :o

"Secure [something] using browser ..."

It's bad enough if the Internet is involved at all, but I can't believe that in 2025 anybody is still claiming that anything which allows a browser anywhere near it can be secure.

Re: LockBit simultaneously targets Windows, Linux, and VMware :o

"... How does LockBit initially infect the Windows, Linux, and VMware ESXi environments ?"

I came here to ask exactly that. The article is long on doom and short on detail.

" ... when a supplier wants to provide ... but the contracts are so hard on the supplier ... "

This happens everywhere.

When a potential customer sent me its terms to sign, and the terms were so onerous that I could easily see them bankrupting me, I told them to take a running jump.

The customer? Local government. Derbyshire County Council in England.

Their terms said that if they bought something from me, and then LATER found that they could have bought it cheaper somewhere else, they could come back to me for the difference.

Suppose they bought it from a bankruptcy auction?

If you agree to something like that, you must be out of your mind or bent.

Re: WTF

I predict multiple lawsuits.

" ... Absolutely everything is done by jumping to more-or-less random points in the system code. ... "

Exactly what I did in the late 1970s, when I had to not only do all the data reduction for RadioImmunoAssay, but also spectrum stabilization for (sixteen photomultipliers in) the scintillation counters in the instrument on the bench. A 6800, 2K of ROM (there wasn't an unused byte) and 256 bytes of RAM. Data input via DMA. Needs must.

Re: We have tremendous power over them, and they have some power over us

"He could, but he wouldn't. Even though Pooh is a proper dictator, he's still more fair minded, intelligent, and considered in his actions than the illiterate Orange Buffoon."

He could, but he wouldn't. Even though Pooh is a proper dictator, he's still more fair minded, intelligent, and considered in his actions than the illiterate, aggressive, arbitrary, arrogant, bullying, conceited, corrupt, dictatorial, felonious, hypocritical, narcissistic, pompous, pretentious and downright deranged Orange Buffoon.

FTFY. :)

Re: That poses various questions

"...a really bad day when lawd knows how much EM energy arrives along those miles long interconnection cables."

To be fair, thesedays most of the miles long interconnections are made of glass fibres, which tend to be relatively unfazed by EM pulses.

Not that I'm in any way playing down the risks to present-day equipment. During the Carrington Event, some telegraph operators were communicating over those miles long battery-powered interconnection cables for a couple of hours -- without the batteries connected.

But I'm puzzled how AI could possibly be expected to predict something like the Carrington Event when it's been trained on data which contains nothing remotely resembling such an event. It seems like trying to predict a tsunami by looking at the tides. I can't help but feel that the effort would be better directed towards modelling the processes going on inside the sun.

Re: Should SpaceX test far more than putting a Starship in orbit?

"... the stock market has devolved into devising new ways to skim money off the top ..."

AFAICT the main reason for the existence of stock markets has *always* been to skim money off the top.

I was party to a Public Offering in the 1980s. Even back then, after watching the goings-on for a few months it seemed to me that the object of the exercise was nothing to do with expanding my business. Apart from the fact that it got lumbered with unbelievable bills from Big Name Accountants and for people staying at The Connaught and The Ritz doing "due diligence", the business was entirely incidental to the real purpose of the exercise which was to bilk the punters on the Denver exchange. The sales projections were pure fiction; to meet them would have required me to buy more of some of the major components in my products than the global supply chain at that time was capable of providing. It left a very nasty taste which still lingers.

[quote]

"It is very difficult, for example, to quantify the value that Microsoft brings indirectly, including ... high levels of security and trust,"

Microsoft brings high level of security and trust? ...

[/quote]

Yeah, that bit about "...high levels of security and trust..." must have been a quote from Truth Social or something.

What's the average number of critical vulnerabilities in a Patch Tuesday? And what's the trend in that number?

Somebody must have all the data, but from the sample immediately and easily available to me it doesn't exactly look inspiring:

https://www.theregister.com/2019/06/11/patch_tuesday/ [...88 CVE-listed flaws...]

https://www.theregister.com/2019/07/10/patch_tuesday_july/ [For Microsoft, July brings fixes for a total of 78 CVE-listed vulnerabilities.]

https://www.theregister.com/2019/08/13/windows_rdp_patch_tuesday/ [Among the 93 CVE-listed flaws patched this month are four particularly serious remote-code execution bugs...]

https://www.theregister.com/2019/09/10/patch_tuesday_abode_sap/ [and the kitchen sink...]

https://www.theregister.com/2019/10/08/october_patch_tuesday/

https://www.theregister.com/2019/12/10/patch_tuesday_december_2019/

https://www.theregister.com/2020/01/14/patch_tuesday_january_2020/

https://www.theregister.com/2020/03/11/patch_tuesday_march_smbv3/ [No patch available yet!]

https://www.theregister.com/2020/04/14/april_patch_tuesday/

https://www.theregister.com/2020/07/15/july_2020_patch_tuesday/ [Windows DNS servers (mostly also domain controllers). Huge issue. Been there ~20 years.]

https://www.theregister.com/2020/08/11/patch_tuesday_august/

https://www.theregister.com/2020/09/08/patch_tuesday_september/ [Horrifying, but slightly better than typical.]

https://www.theregister.com/2020/10/13/microsoft_patch_tuesday/

https://www.theregister.com/2020/11/11/patch_tuesday_updates/ [One hundred and twelve Microsoft security patches this Tuesday.]

https://www.theregister.com/2020/12/08/patch_tuesday_fixes/ [Quite a selection.]

https://www.theregister.com/2021/01/12/patch_tuesday_fixes/ (...again).

https://www.theregister.com/2021/04/13/patch_tuesday_april/

https://www.theregister.com/2021/05/11/microsoft_patch_tuesday_exchange_hyperv/

https://www.theregister.com/2021/06/09/june_patch_tuesday/

https://www.theregister.com/2021/07/14/patch_tuesday/

https://www.theregister.com/2021/08/10/microsoft_patch_tuesday/ [This made the news - only 44 vulnerabilities this month!]

https://www.theregister.com/2021/10/12/microsoft_patch_tuesday/ [This month: 1 low severity, 68 important, 2 critical.]

https://www.theregister.com/2021/11/09/microsoft_spreads_patch_tuesday_joy/ [55 important vulnerabilites, including 6 critical, patched on tuesday 9th November 2021.]

https://www.theregister.com/2022/01/12/january_patch_tuesday/

https://www.theregister.com/2022/01/13/microsoft_patch_tuesday_titsup/

https://www.theregister.com/2022/01/18/patching_patch_tuesday/

https://www.theregister.com/2022/03/09/microsoft_patch_tuesday/

https://www.theregister.com/2022/04/13/microsoft_patch_tuesday/ [Over 100 fixes including ten critical vulnerabilities in this month's Patch Tuesday.]

https://www.theregister.com/2022/05/11/microsoft_patch_tuesday/ [Only seventy-odd this month, seven critical.]

https://www.theregister.com/2022/06/15/microsoft_patch_tuesday/

https://www.theregister.com/2022/07/12/microsoft_july_patch_tuesday/ [June's zero-day fault gets patched in July...]

https://www.theregister.com/2022/08/09/august_patch_tuesday_microsoft/

https://www.theregister.com/2022/09/13/microsoft_patch_tuesday_september_2022/

https://www.theregister.com/2022/10/11/october_patch_tuesday/

https://www.theregister.com/2022/11/09/microsoft_november_2022_patch_tuesday/

https://www.theregister.com/2022/12/14/microsoft_december_patch_tuesday/

https://www.theregister.com/2022/12/14/microsoft_patch_tuesday_vm/

https://www.theregister.com/2023/01/11/patch_tuesday_january_2023/ [98 vulnerabilities patched in the first Patch Tuesday of the year - some of them already under exploit.]

https://www.theregister.com/2023/03/14/microsoft_patch_tuesday/

https://www.theregister.com/2023/04/11/april_patch_tuesday_ransomware/

https://www.theregister.com/2023/05/09/microsoft_may_patch_tuesday/ [This month, a relatively low number of fixes: only 38.]

https://www.theregister.com/2023/07/11/microsoft_patch_tuesday/ [One hundred and thirty vulnerabilities addressed - but a zero-day one-click compromise isn't.]

https://www.theregister.com/2023/08/08/microsoft_intel_august_patch_tuesday/ [Note the bypass of the bypass of the bypass of the patch of the patch of the patch!]

https://www.theregister.com/2023/10/10/october_2023_patch_tuesday/ [Microsoft on Tuesday issued more than 100 security updates...]

https://www.theregister.com/2023/11/15/november_2023_patch_tuesday/ [...fixes for about 60 vulnerabilities – including three that have already been found and abused in the wild.]

https://www.theregister.com/2023/12/13/december_2023_patch_tuesday/ [Microsoft: 36. Adobe: 212. Yep, that's in one month.]

https://www.theregister.com/2024/01/09/january_patch_tuesday/ [A relatively calm start to the year for Microsoft, only 49 vulnerabilities this month, including 12 RCE, two critical...]

https://www.theregister.com/2024/02/14/patch_tuesday_feb_2024/ [73 vulnerabilities this month, FIVE critical and under active exploitation.]

https://www.theregister.com/2024/05/14/microsoft_may_patch_tuesday/ [60 Windows CVEs]

https://www.theregister.com/2024/06/12/june_patch_tuesday/ [Only 47 Microsoft security issues this Tuesday.]

https://www.theregister.com/2024/07/10/july_2024_patch_tuesday/ [Tuesday's software updates address more than 130 Microsoft CVEs.]

https://www.theregister.com/2024/10/08/patch_tuesday_october_2024/ [...this one is a doozy. Microsoft has delivered 117 patches...]

https://www.theregister.com/2025/01/15/patch_tuesday_january_2025/ [...three under-attack privilege-escalation flaws in its Hyper-V hypervisor, plus plenty more...]

https://www.theregister.com/2025/04/08/patch_tuesday_microsoft/ [...11 critical issues in its code to fix. Redmond delivered fixes for more than 120 flaws this month...]

https://www.theregister.com/2025/06/10/microsoft_patch_tuesday_june/ [Just 66 fixes - some under active attack - this Tuesday.]

https://www.theregister.com/2025/08/12/august_patch_tuesday/ [...111 problems in its products, a dozen of which are deemed critical...]

"Anonymised" is the problem..."

Right. Apparently it's anonymized down to sex and the postcode.

The only trouble with that is the only two people who live at this postcode are me and my wife.

Re: Equifax?

I would have put a few more question marks after 'Equifax'.

[quote]There will be significant lessons in looking at what they had for a continuity plan, and its failings.[/quote]

I wish I shared your optimism.

Re: No surprises, but...

This has been bugging me for a while now, so here's as good a place as any.

Here in the north of England, 'Trump' in colloquial use means 'Fart'.

The word has always made me a little uncomfortable, but this year that discomfort has grown substantially because the current president of the USA is so obviously deranged.

Re: The anti-lottery

"I have a new comparison when discussing the idiotic idea of playing the lottery ..."

At work, years ago, the usual chaotic effort to pick the week's lottery numbers was in progress.

The idea was a different person would choose the numbers each week.

For some unknown reason that week they asked me to choose the numbers.

Not knowing much about the lottery, but more than most about numbers, I wrote down

1234567

on the sheet of paper and handed it over.

"Well they're not going to win!"

"I know", I said, "but it's obvious they're not going to win and they have the same chance as any other numbers you might choose".

The sales manager was flabberghasted. "Do you really believe that?", he said.

"I don't have to believe it. I can prove it." I said.

Nevertheless they wouldn't use my numbers and they never asked me again.

Re: Ask a weird question

I ask them what colour knickers they're wearing.

Re: All costs are off

[... "Starship" is probably the only space vehicle that could carry enough equipment and astronauts to do such a mission ... and it is obviously several years away from being able to safely perform it. ...]

Well if we start the planning now, maybe we'll be ready about the same time as Starship.

Not that I'm necessarily convinced that the company which builds Starship will survive many more failed demonstrations of orbital capability.