* Posts by sitta_europea

792 publicly visible posts • joined 29 May 2016


Marvell disputes claim Cavium backdoored chips for Uncle Sam

sitta_europea Silver badge

If I had a secret that really needed to be recorded, absolutely the last thing I'd use to record it would be an electronic device.

Thousands of Juniper Junos firewalls still open to hijacks, exploit code available to all

sitta_europea Silver badge


Apples to apples: Boffins find a way to make e-waste edible

sitta_europea Silver badge

"...what is the chemical energy of the resultant product."

No chemical process can produce anything like a few kWh from a gram of *anything*.

For a few kWh you need kilogram quantities of chemical fuels. Gasoline for example gives about 12.5 kWh/kg.

At energy densities a thousand times higher you'd need to be talking about nuclear processes.

Utilising the decay of Ta180m (at 41 GJ/kg nearly a thousand times the energy density of gasoline) isn't practical, but that's the sort of order you'd need to be talking about.

Compare the practical energy density of gasoline at about 45 MJ/kg with that of natural uranium in a light water reactor (theoretically ten times that of Ta180m; you'll only get about 150 GJ/kg after the inevitable thermodynamic etc. losses, but still over a thousand times more than even pure hydrogen at 140 MJ/kg).

So I'm looking for orders of magnitude improvement in the energy budget and I don't see how that can be realistic.

sitta_europea Silver badge

Running a 50W LED for a week takes a few kWh.

This is to process less than a gram of plastic.

To put it very mildly, a few kWh to recycle a gram of plastic sounds rather expensive.

Spread this out in the Sahara to use sunlight (if it would work with sunlight) and on the back of this envelope I reckon you could process on the order of ten tonnes per square mile per week.

In terms of global waste of annual megatonnes that's not going to make a very big dent.

Am I missing something?

South Korea's Moon orbiter snaps India's lander

sitta_europea Silver badge

On Earth, Prydz bay


is at about the same latitude as the latest Lunar lander.

I don't think anyone would have said Shackleton had reached the South Pole when he got to that latitude, since he still had 1,200 miles to go...

It's not so far from 70 degrees to the pole on the Moon as it is on Earth, but it's still over 300 miles.

Scientists turn to mid-20th century tech for low-power underwater comms

sitta_europea Silver badge

Re: "redirect signals back toward their source rather than simply reflecting them"


Big Tech has failed to police Russian disinformation, EC study concludes

sitta_europea Silver badge

Just a few times in my now rather long life I've had the benefit of personal experience of something about which I later read in the newpapers.

In every case, what was written was a sensationalized travesty of the actual events.

They weren't even things that carried any import. Like for example when my judo club went to a Sunday morning aerobics session in Oxford.

The article I read later said something like, "Twenty burly blokes were left for dead after a session with Mis Whatshername."

I was one of those blokes, and I'm not burly, and my mates and I found the session pretty tame compared with a Tuesday night at Morris Motors.

After about the third time this sort of thing happened, I started taking very hefty pinches of salt with everything I'd see or hear in the news.

I'd advise everyone to do the same because, as far as I can tell, in this resepect things don't seem to be getting any better.

Freecycle gives users the gift of a security breach notice

sitta_europea Silver badge

"...Beal warned members: "Please remain vigilant of phishing emails, avoid clicking on links in emails, and don't download attachments unless you are expecting them.""

Er, with email, that's not how it works. Attachments are part of the email.

You won't normally get bits of an email, you'll get the whole thing, if for no other reason than that it might have a signature - and you can't verify the signature without having the entire email...

Having received it, it's then up to you to do whatever you wish with any attachments that might be in it.

Generally thesedays they're Windows executables, compressed and archived with Zip into a file which is renamed 'something.rar', and which is then archived *again* with zip.

Which was all a waste of time if you then send it to somebody who only runs Linux boxes, but then the average criminal isn't the sharpest tool in the drawer or he wouldn't be your average criminal.

Most of the time, for me at least, all this just means I report them to at least half a dozen organizations who explicitly ask to see copies of spammy and/or malicious messages.

Germany's wild boars still too radioactive to eat largely due to Cold War nuke tests

sitta_europea Silver badge

Not sure what the last reply was trying to convey, but for the avoidance of doubt yes, a typical human would give 4,000 clicks per second, every second of his life, on a 100% efficient whole-body counter which could catch the anti-neutrinos from the beta decays. Not a Geiger counter though, because we're talking here largely about beta decays and a Geiger counter wouldn't see most of them, and it would see exactly none of the neutrinos. It would see some of the gamma rays produced when the beta particles were absorbed by the body. You need to distinguish between a radioactive event and its detection. If the radiation is isotropic and the sensitive area of the detector subtends a small fraction of the surface of the notional sphere surrounding the, er, target, then a typical detector is only going to see a small fraction of the events - even if it is *both* sensitive to all the events which impinge upon it *and* 100% efficient, which it very probably won't be.

But yes, that's 4,000 decays per second, every second, throughout his whole life. That's not "a lot", of course. Not even remotely high-level waste. I've routinely handled things that weigh a gramme and are a million times more active than that, and I've swallowed ten times more radioactivity in a single pill:


sitta_europea Silver badge

Let's not forget that every person on the planet contains enough potassium-40 to completely overwhelm the smidgin of radioactive caesium we're talking about here.

A typical 70kg adult will contain about 4,000 Bequerels of K-40.

Nothing you can do about it.


sitta_europea Silver badge

Give over, hydrogen is a hundred and forty-two.

Pumping how much gasoline? And pumping gasoline doesn't deliver energy, it absorbs it.

sitta_europea Silver badge

Re: Question

The disaster was caused by an idiotic, unsanctioned experiment on a reactor with widely known design defects.

NASA's OSIRIS-REx spacecraft is returning with its first-ever asteroid sample

sitta_europea Silver badge

> Evidently NASA does not have an Amazon Prime account.

But on the bright side, this does mean that the sample won't be left under a neighbour's van and then get stolen by a small dog.

sitta_europea Silver badge

Re: Long term weather forecast

Yeah, I nipped over to France to see it. Took my girlfriend (now wife) on the back of my new 1200 Bandit.

It hissed it down the whole time. The only way we knew the that eclipse was actually happening was that the local dogs started howling and the street lights all came on.

Still, it was good to see the look on the mechanic's face when I took the bike back for its 600-mile first service - three days after I'd bought it.

Apple security boss faces iPads-for-gun-permits bribery charge... again

sitta_europea Silver badge

Yes he did, it's called a conspiracy.

sitta_europea Silver badge

No, of course he didn't commit a crime.

He'd have given a couple of hundred iPads to anyone who asked for them, wouldn't he?

I mean, Apple is such a generous, upstanding company.

Isn't it?

University cuts itself off from internet after mystery security snafu

sitta_europea Silver badge

"Sunday afternoon, after careful evaluation of a significant security concern, we made the intentional decision to sever our ties to the internet," said Ravi Pendse, Chief Information Officer, Sol Bermann, Chief Information Security Officer, and Andy Palms, Executive Director of Infrastructure on Monday. "We took this action to provide our information technology teams the space required to address the issue in the safest possible manner."

Or they could just have said,

"We failed."

India set to launch Sun-spotting satellite on Saturday

sitta_europea Silver badge


More UK cops' names and photos exposed in supplier breach

sitta_europea Silver badge

If they're that careless with information about their own staff, what must it be like in the complaints department?

Japan complains Fukushima water release created terrifying Chinese Spam monster

sitta_europea Silver badge

The amount of tritium released into the Pacific Ocean at Fukushima is much less than one percent of the amount produced naturally every year in the atmosphere by cosmic rays:


Perhaps people should be protesting about the Milky Way.

Surprising anyway that China should grumble about a batch of tritium being released into the Pacific after ten years of storage when over the same period they themselves seem quietly to have released at least as much from their facilities at Fuqing and Sanmen - into the Taiwan Strait and the East China Sea repectively:


Talk about teapots calling kettles!

Whiffy malware stinks after tracking location via Wi-FI

sitta_europea Silver badge

I'm going to side with the insurance companies on this one.

The criminals might not have done the arithmetic, but I'll wager the insurance companies have.

Taiwanese infosec researchers challenge Microsoft's China espionage finding

sitta_europea Silver badge

Re: Exciting? Yes. An existential threat? Probably. An otherworldly treat? Definitely.

Your babble is incomprehensible to me.

FBI: Who was going around hijacking Barracuda email boxes? China, probably

sitta_europea Silver badge

Probably not, because the compromise happens when the appliance processes the malicious mail message.

Most firewalls don't look at the content of the traffic which they police. Typically a firewall blocks connections based on whether or not the connection is 'to be expected'.

Aside from connections from known bad sources, most connections to a mail appliance to offer a mail message to it will come under the 'to be expected' heading. These messages can come from absolutely *anywhere*, so blocking things like source IPs, ASNs, country codes, domains etc., won't do the job.

If the firewall permits the mail message to reach the appliance, it's game over.

If the firewall does deep packet inspection and prevents the message from being processed then yes, that will help, until the adversary gets wise to it and crafts a message which the firewall accepts.

It's easy enough to block these messages at the mail server, assuming that (1) such a facility exists (2) the admin knows what he's looking for so he can write for example a Yara rule and (3 of course) the server it isn't vulnerable.

I've had nothing but trouble from fancy gateways.

Keep It Simple. The more complicated things are, the more likely they are to have vulnerabilities.

sitta_europea Silver badge

So this is essentially a worm?

India lands Chandrayaan-3 spacecraft on Moon, is the first to lunar south pole

sitta_europea Silver badge

Re: Chandrayaan 3 did NOT land "at the South Pole"

The article also seems to say that the lander is in a place which contains many craters pernamemtly shadowed from he sun. I'm not sure that's right either.

Ivanti Sentry exploited in the wild, patches emitted

sitta_europea Silver badge

"Each script is customized for a single version." The vendor also noted that applying the wrong script may prevent the issue from being fixed or cause "system instability.""

So the script can't find out which version it's running on?

That doesn't inspire confidence.

Microsoft DNS boo-boo breaks Hotmail for users around the globe

sitta_europea Silver badge

Microsoft and SPF.

It seems to me that Microsoft has a company-wide mental block on SPF.

That they've never been able to get it right should be obvious to anyone who's read RFC7208 and the headers of more or less any email sent from AS8075 in the past decade.

I put it down mostly to pique at Microsoft's failure to take over the world with their version 2 of SPF, which (a) didn't work properly, (b) caused confusion everywhere, and (c) still requires mitigation.

Brainwaves rock! Scientists decode Pink Floyd tune straight from the noggin

sitta_europea Silver badge

Re: Visceral response

"The Final Cut" reduced me to tears the first time I listened to it in 1983 (unluckily this was in the lounge at my Production Manager's new home) and it still does if I'm not ready for it.

Boffins reckon Mars colony could survive with fewer than two dozen people

sitta_europea Silver badge

Re: It all seems a bit pointless

I'm gald somebody else thinks like I do.

Sextortion suspects on trial after teen victim dies from a self-inflicted gunshot wound

sitta_europea Silver badge

Maybe now crimes are only considered serious enough to warrant an investigation if somebody dies.

Every day, our mail server here typically sees dozens of attempts at fraud and serveral attempts at extortion.

They're all reported to the relevant government bodies, to people like SpamCop, and to Bitcoin scam websites etc., but after the thousands of reports we've sent I can't say that I've ever seen anything actually happen as a result. Maybe a DNS blacklist score got incremented here and there, but certainly I've never been asked to give evidence.

We don't bother with the police. The last time I actually tried to get the police interested in a scam, the chief of the Nottinghamshire Fraud Squad told me they wouldn't investigate anything unless at least fifty grand had been stolen. That was twenty years ago. All I had was the name and address of the criminal and an obviously stolen cheque that he'd sent as payment for an order he'd sent to my business. The boneheaded criminal hadn't even noticed that the person from whom he'd stolen the cheque book was female. Of course I didn't waste time pointing this out to him. When I told the boneheaded bank manager at the branch the cheque was drawn on that I had a stolen cheque he said "Bank it". To protect the innocent, let's say that it was Lloyds Bank, because it was, and after much protest I did in fact bank it. After a while the bank started to ask for the money back, but I planned to keep it in the business account until I got an apology from the Chairman of Lloyds. But that never happened, because one day when I was on holiday this same manager asked for the money back and my boneheaded business partner sent it. Oh, well.

If it was a full book of 30 cheques that had been stolen, and they were all used for frauds of a few grand, that would easily have been over Nottinghamshire's fifty grand threshold.

A while later I tried to report a very obvious online fraud to "Actionfraud". The person who took the call spent the entire conversation trying to persuade me that it was probably all just a mistake. It was more or less at that point that I gave up on reporting frauds to the police. Nowadays I wouldn't even bother reporting a burglary - and I *have* reported three in my time.

I lean to the view that if we dealt more seriously with some of the lesser crimes, some of the greater crimes would never happen.

Beware cool-looking beta crypto-apps. They may be money-stealing fakes

sitta_europea Silver badge

If you don't expect the attachment, don't know exactly what's in it, and don't know how to find out without 'opening' it, then it's probably best just to delete it.

In my experience most virus scanners miss a frighteningly large fraction of malicious attachments. Few will reliably find even four out of five. Some find no more than a few percent.

Don't open any unknown attachment, even if you have scanned it.

Sometimes it's a risk even to use the scanner on your computer to scan an attachment.

If you really know what you're doing you might want to send it for scanning at Virustotal or Jotti.

But whatever you do, don't bet on the result.

Google Chrome to shield encryption keys from promised quantum computers

sitta_europea Silver badge

Re: Teaser......Diffie/Helman might be more secure than described......

"Is this statement true?"

As I understand it, the negotiation is safe at the moment because even if you listen in to the entire conversation, to crack the negotiated keys demands calculation power which we do not currently have.

Basically the question is "What are the two big (and prime) numbers which, when multiplied together, make this other big number?

Currently, the question can be answered only if you weren't very clever about the numbers that you chose. Like for example Debian's accident a few years ago, when after it all went public I found in lists on the Internet several of the private keys that I'd just revoked.

In the relatively near future we expect to have the computer power to be able to answer that question for a lot more of the numbers -- even if you were as clever about choosing them as we think it's possible to be, and as a result they would currently defeat our computing prowess.

So yes, I think the statement stands.

sitta_europea Silver badge

Re: That's good

"... I don't want someone capturing a session where I'm logging in this year and decrypting it to steal my account in 2038!"

I feel sure you didn't choose that year by accident...

sitta_europea Silver badge

Quoting Matthew Green, a cryptography professor at Johns Hopkins University,

"... in principle any encrypted messages sent today could be stored until those computers are eventually built. By adding post-quantum encryption to today’s connections, that threat is eliminated."

Correction. That threat is eliminated if it's done properly. Sadly our record on doing things properly on the Internet is somewhat less than stellar.

"Krauthamer ... also pointed out that President Biden last year signed H.R.7535, The Quantum Computing Cybersecurity Preparedness Act, which requires US government agencies to begin moving toward quantum resilient cryptography."

But she failed to point out that none of this would stop a bunch of spotty teenagers from compromising any number of large US corporations, which they did by simply going around all the fences.

None of this high-tech stuff will ever stop them.

Electoral Commission had internet-facing server with unpatched vuln

sitta_europea Silver badge

"Exchange Server runs with highly privileged Active Directory accounts by default..."

What a great idea.

But when every day I see the amateurish borkage that Microsoft continually perpetrates in the name of email, I suppose I shouldn't be surprised.

Yesterday they told me that an email that I didn't send had failed SPF verification.


Magento shopping cart attack targets critical vulnerability revealed in early 2022

sitta_europea Silver badge

"... businesses find it difficult to properly identify all their assets ..."

Let me try to help with that.

This is the one that takes the money from the customer.

US Cyber Command boss says China's spooky cyber skills still behind

sitta_europea Silver badge

"Remember what 2021 was like for us ... from that year forward, we think differently."

By that time you'd been in post for three years. What the fuck were you doing?

There's a good chance your VPN is vulnerable to privacy-menacing TunnelCrack attack

sitta_europea Silver badge

While I wouldn't go as far as some, I'd characterize this as "Your Virtual Private Network won't keep your Network traffic Private if you don't use it".

Well, er, obviously.

Computers and networks are complicated.

Keeping them secure is difficult, beyond most of even the savviest of users.

It's so far beyond the layman that it's probably doing him a service to give him no configuration options at all, and otherwise not even mention it.

Sometimes, I think, with some of these tools, it's a bit like giving an angle grinder to a six year old. The outcome isn't really in doubt, and you're really not going to like it.

Rapid7 prepares to toss 18% of workforce to cut costs

sitta_europea Silver badge


North Korean hackers had access to Russian missile maker for months, say researchers

sitta_europea Silver badge

Re: The Russians run their missile developement on Windows?

" “SentinelOne developed AI-based software that protects laptops and cellphones from security breaches by identifying unusual behavior..." "

Shirley if unusual behaviour is detected it's already compromised and it's too late to "protect" it?

Alarm raised over Mozilla VPN: Wonky authorization check lets users cause havoc

sitta_europea Silver badge

In my experience of reporting issues to Mozilla, this all sounds very familiar and completely normal.

It took them more than eight years to get onto my last report, which was only that it was impossible with their user interface to set up the Mozilla mail client to use a local server...

So despite *really* not wanting to, I kicked Mozilla into touch, for everything, years ago, and won't ever be going back.

Astronaut-menacing sunstorm spotted rippling across inner solar system

sitta_europea Silver badge

Re: Nobody could have predicted the Tsunami

"...the Carrington Event in 1852 (https://en.wikipedia.org/wiki/Carrington_Event) would have probably destroyed most satellites in orbit by frying the electronics..."

It would fry quite a lot of stuff on the ground too.

See the article for reports of telegraph operators getting shocks from their equipment, and one of operators working a link for two hours without the batteries connected.

I suspect that something similar to the Carrington Event happening now would send society back to the 1930s.

Looking on the bright side, most modern weaponry would probably be destroyed.

But you could forget about the Internet for at least a few years.

Couple admit they laundered $4B in stolen Bitcoins after Bitfinex super-heist

sitta_europea Silver badge

You'd have thought with those skills that they could have made quite a lot of money legally, and stayed out of prison.

I'm always depressed by the mindset of the criminal. After all he's human, just like me.

Socket moves beyond JavaScript and Python and gets into Go

sitta_europea Silver badge

Whatever happened to doing one thing, well?

MIT boffins build battery alternative out of cement, carbon black, water

sitta_europea Silver badge

Re: Usual misleading PR

"... It's bad enough when media types, bless their innumerate selves, get confused, ..."

Yep. The article's description of a capacitor seems like it came from Pins and Needles magazine.

Any two conductors that aren't connected to each other form a capacitor. No need for any electrolyte. It's the bane of the integrated circuit manufacturer. Yes, surface area matters. You can store charge (and thus energy) on the surface of a glass rod that you hold in your hand. I did that at school, back in the 1960s. Of course the amount of energy that you can store on a hand-held glass rod won't power your TV for very long.

The 10kWh(e) that you could store in a hundred tonnes of concrete could by comparison be significantly more useful, but not so significantly that I'd be likely to shell out for it. After all, as has been pointed out already, there's a *lot* more thermal energy in that mass of more or less *anything*. For one degree C temperature rise of a hundred tonnes of water for example, you have ten times the energy that this capacitor stores and you'd also be able to make practical use of it - quite possibly without any extra effort, for example it would keep you warm in winter if you just put some of it in a hot water bottle.

As a useful yardstick, a gasoline gallon is very roughly 33 kWh.

Somebody wake me when you can put that in a capacitor that will fit in a shoebox. That's the sort of thing that you're going to have to do to get any, er, traction.

What would sustainable security even look like?

sitta_europea Silver badge

Re: What would sustainable security look like?

"...the desperation to offload your IT to organizations that care about it less than you do seems increasingly insane."

Have an upvote from me for that.

To "offload your IT" I'd add "and put everything in the cloud".

The trouble is when everything is in the cloud, and the cloud fails, everything fails.

I'm not even going to mention the Carrington Event.

Florida man accused of hoarding America's secrets faces fresh charges

sitta_europea Silver badge

Re: You sure are preoccupied by Trump and Musk!

Thank you, thank you, for that moment of absolutely hysterical laughter!

A room-temperature, ambient-pressure superconductor? Take a closer look

sitta_europea Silver badge

Re: Question

"If all the conductors in a desktop/laptop were able to be replaced with SUPERconductors, what would that mean?

Is the current in use low enough that the current density isn't an issue? Would it run stone cold and not need cooling? Would it run faster? Would it run longer on a battery charge? Not an electrical engineer, but want to know..."

Speaking as an electrical engineer, there's a very important law we engineers are taught which says "you can't always get what you want".

If we replaced the semiconductors and/or the resistors in the 'chips' with superconductors, unfortunately the chips wouldn't work any more.

In any computer there will be heat generated by current passing through the ordinary conductors in the machine, but a lot will be generated by the current which passes through the SEMIconductors in what we electronics engineers call the 'chips'. It's the chips in the computer which get hot, not the traces on the printed wiring boards. In fact the traces, usually copper (and so very good conductors *), are often used to conduct heat away from the components attached to them. The semiconductors are mostly made of very pure crystals of silicon which will never(**) be superconductors, and in any case there are lots and lots of resistors in the circuits in the chips, which are there in order to develop a potential difference across their ends when semiconductor devices pass current through them. The potential difference across a resistor is your logical value, '1' or '0', while it's being manipulated in the chip(***). Unfortunately passing a current through a resistor, in addition to generating a voltage, also generates heat proportional to the square of the voltage. A lot of work goes into reducing the voltage that's needed to unambiguously distinguish a '1' from a '0' in the presence of a lot of electrical noise, but there's a limit to what you can do in a very electrically noisy environment like the inside of a computer. I've glossed over a few other things but you get the picture.

Two things, more or less, limit the speed of the computer.

Firstly the thermal characteristics. Faster clock speeds means more power dissipated because you need to use higher currents to charge and discharge capacitances which you really wish weren't there but there's nothing much you can do about them; and the power has to be removed from the devices which generate it or they will destroy themselves.

Secondly the length of the wires. Because the speed of light is finite at about one foot per nanosecond, and we measure the switching speeds of many modern semiconductor devices in fractions of a nanosecond. The traces on the printed wiring boards between the chips are mostly transmission lines. At the moment at least, current density isn't a huge issue, but trace length is. Superconductors don't conduct signals especially faster than ordinary conductors - they're all limited by the speed of light. Current density *might* become an issue for superconducting circuits because of the magnetic field generated, which if it is strong enough may flip the superconductor out of its superconducting state, but right now we're a long way from worrying about that in your laptop.

(*) Metals are metals because they have free electrons in their crystal structure. In a metal, heat is primarily conducted by the free electrons. That's why metals conduct both electricity and heat well.

(**) Never say 'never' in engineering.

(***) There are chips (CMOS) which don't use resistors, they use transistors in place of the resistors, and that consumes a lot less power, but it also uses a lot more die area to make the same gates, so you can't make such a powerful processor with CMOS technology. That's just a real estate/manufacturing yield issue.

Stolen Microsoft key may have opened up a lot more than US govt email inboxes

sitta_europea Silver badge

"Incredibly as it sounds..."

No, it doesn't.

It isn't incredible that a key gets compromised. It's inevitable.

But no matter how much I keep on banging this drum, mostly I'm ignored.

Mr. Crawford is exactly right in his analysis.

VirusTotal: We're sorry someone fat-fingered and exposed 5,600 users

sitta_europea Silver badge

Re: False sense of security

"VirusTotal may have some use cases. But from my experience for phishing and scam sites the detection rate is near zero. Not sure about malware."

I hear what you're saying about the false sense of security which could perhaps represent a danger. I'm sure I've seen evidence for it but it would only be anecdotal so I'll say no more about that.

The threat profile from emails arriving here might not be typical, but I can share some of my experience, which is long and well documented.

I'm unable to comment on VirusTotal's (email) phishing and scam site detection performance because I haven't measured it, but I'd say it's pretty good for malware.

My milters, using a few simple Yara rules, routinely catch malware in email which multiple commercial and free virus scanners fail to identify. I have records for the last four hundred or so samples and about fifteen scanners courtesy of Jotti's Virus Scan. When I submit samples using our homebrew API to Jotti, very few threats are missed by all the scanners but the norm is for most of them to miss most threats. If I submit the threats (manually) to VirusTotal, the percentage of threats missed by all of the more than seventy scanners that they use is negligible, but again many of them seem to miss most threats.

You simply cannot rely on scanners alone. If you do, you are going to be compromised.