* Posts by EricM

111 posts • joined 2 Sep 2016


The point of containers is they aren't VMs, yet Microsoft licenses SQL Server in containers as if they were VMs


Yeah, smells like "embrace, extend, ..." of Oracle's bullshit VM policies...

... but I do not expect the usually following "extinguish" in this case, though ...

As Brit cyber-spies drop 'whitelist' and 'blacklist', tech boss says: If you’re thinking about getting in touch saying this is political correctness gone mad, don’t bother


Oh, so the GCHQ has "customers" ...

That might explain a lot ...

Why should the UK pensions watchdog be able to spy on your internet activities? Same reason as the Environment Agency and many more


This is a textbook example on why to avoid "slippery slope" regulations at all cost

Once the UK agreed to create mass snooping capabilities for use against terrorists, these capabilites created demand in all other departments of government.

You _can_ better assess, direct and punish a population in a number of ways without any privacy laws in the way plus full suveillance. Most citizens of former Eastern Germany know that well from experience...

After all, only a citizen, that is observerd 24/7 is a) a secure citizen and b) a citizen _constantly_confirmed_ to be abiding the law.

While China was doing it openly to supress, in the UK it happened under the disguise (and maybe even intent) to fight terrorism. However, the result, as you will experience, is mostly identical.

Hopefully your example will at least spare some other countries the same fate as they have the opportunuty to learn by example.

I wish you good luck since reversing this situation and prying surveillance powers back from government agencies all over the place will be much more difficult than preventing it happening in the first place...

Ransomware scumbags leak Boeing, Lockheed Martin, SpaceX documents after contractor refuses to pay


Re: You are not really familiar with computer security, are you?

Sure you do that - you block all known attack vectors to access the data.

Until someone comes up with a new idea or - as is likely in this case - someone turns an authorized user's computer into a trojan horse that effectively steals the documents.

For encryption at rest:

Many people think that's a silver bullet, however, if continous accessability of the information is part of the requirement (which is true in most cases) you need to distribute the password/private key in some form to the point of access, otherwise even the authorized end user cannot read and work with the data. That's why I tend to view most implementations of encryption at rest somewhat as snake oil. The just make it somewhat harder to extract cleartext data.

Same problem with air-gapping systems.

In this case you need to bring every user of the data behind the air gap. Which excludes such a solution from most real-world scenarios.

Especially in complex distributed development, where optimized sharing of documentation/information is regarded as key to mission success..


Re: You are not really familiar with computer security, are you?

> That is part of what I'm talking about - is it a fundamental truth that invisible doors and papier maché walls will exist? If so, why?

Neccesarily. Whatever you need to do in computer security, securing Websites, Web-Apps or simply securing documents inside a company, you need to work with existing (and continually changing) hardware, firmware, drivers, operating systems, network protocol implementations, firewalls, management solutions, etc.

Every component you work with is updated regularly (if you do it right). This means a) known bugs a closed, b) new features are added and c) new bugs are introduced, every single one a potential new door.

On all architecture levels mentioned above - simultanously.

> too much reliance on "somebody else".

Yes, every application you create/run/maintain today sits on a ton of other software you cannot control.

OK, you _could_ try to create a for example document management solution based on your own Hardrware, firmware, drivers OS, own network stack, own firewall code and finally own application.

But you'd need to invest thousands (millions?) of man-years to create and test tons of new new code.

And with an overwhelming probablitity your own code will have many more bugs than the stuff already on the market that has been tested in in thousands of installationson.

So, yeah, relying on somebody else is a problem, but having to code everything up from bare matal yourself would pose a worse problem in terms of security, let alone feasability.


Re: You are not really familiar with computer security, are you?

> Now imagine the liability if you used that place to store hugely valuable stuff. You would have done your due diligence on the building before using it, and not taken someone else's word for its security. To do otherwise would find you liable for civil and possibly criminal action.

Accept criminal liability for security in a world where invisible doors exist and you cannot tell concrete and cardboard apart?

I'd get a new job immediately, since no amount of due diligence will make sure I have not overlooked one of the invilible doors. Or that no new door will pop up due to changes made by somebody else tomorrow.


You are not really familiar with computer security, are you?

As a virtual real world example :

Try to secure a building. You use Perimeter controls, fences, secure doors, alarms, etc. Not hard, right?

Now try to imagine to secure a building where fences have holes you cannot see. Where walls have doors you cannot see. Some walls that used to exist forever are gone the next day. Some walls only look like walls when in reality they are just props from a film set. Where people that you cannot control are working on structural changes and who routinely refuse to tell you what they did. Where alarms notice some trespassers while ignoring others. Where you learn one day that while you thought you had the only keys to the building, the company who made the doors was handing out every key to every door they ever made to anyone who asked...

Good luck with that...

Astroboffin gets magnets stuck up his schnozz trying and failing to invent anti-face-touching coronavirus gizmo


At least he tried to DO something meaningful ...

Contrary to people writing sarcastic comments here ...

Theranos vampire lives on: Owner of failed blood-testing biz's patents sues maker of actual COVID-19-testing kit


0.00 as "reasonable compensation" for suing patent lawyers in this situation is too generous...

On an emotional level I'd like to see the the pitchfork- based responses above implemented, but that's a bit too much 18th century style ...

But what about some 100hrs of community service to make up for the crap they cause?

Don't be fooled, experts warn, America's anti-child-abuse EARN IT Act could burn encryption to the ground


Problem: Math does not know if you are crook or cop.

Stopping E2E encryption of Whatsapp and Apple - Then what? Criminals/child predators moving to other services, of course. So what will be the next steps?

Will Telcos be forced to provide crackable in-transit encryption (like a backdoored https) in order to "earn" or keep their exemptions?

Will Hosting providers be forced to only provide crackable at-rest encryption in order to earn or keep their exemptions?

As the "law" would just authorize basically *anything* a comission comes up with, this could become a very slippery slope...

Math laws cannot be selectively enforced for citizens and waived for police. Every encryption that becomes crackable/backdoored for police will also become crackable for criminals.

So software and services of US origin will become insecure in a very basic sense of the word.

As a consequence, once this really becomes law, we will probably see the downfall of the great US software empire, as only the EU and Asia will be able to construct secure products.

Campaigners cry foul play as Oracle funds conservative lobby group supporting its court case against Google


Re: Who expects honesty and decency from Oracle ?

""Who expects honesty and decency from Google" I would also have agreed."

Agree, and I must say I'm not into this topic for Google. or for honesty and decency for that matter.

But if Oracle wins this case, the whole software industry which, since its inception, always was based on the fact that APIs are not copyrightable, will suffer heavily under lawsuit after lawsuit.


"They go after many respected think tanks and call them 'Google shills' while themselves getting money directly from Oracle"

Well, after all, accusing the other side of what you are guilty doing, is, in fact, an as widely used strategy as is buying support from groups that are portrayed as being neutral and interested in "public wellbeing".

A classic comms strategy, albeit dishonest and opportunistic ...

10/10 on the Oracle scale, I' say .

Let's hope the judges see through this ...

World Wide Web's Sir Tim swells his let's-remake-the-internet startup with Bruce Schneier, fellow tech experts


Re: Well, Well, Well...


and based on the fact humanity came up with crap ideas how to use flintstone, fire, the wheel and basically every invention since then this was quite to be expected ...

_Every_ invention that works will also be used for negative goals.

And his invention works perfectly :-)

Oracle staff say Larry Ellison's fundraiser for Trump is against 'company ethics' – Oracle, ethics... what dimension have we fallen into?


Agree, Larry & Trump are quite a good fit, actually.

At least in the way they treat employees and customers. But I also wonder how "ethics" might fit in that picture...

Oracle tells Supremes: Fair use? Pah! There's nothing fair about 'Google's copying'


"Creative choices", yeah, sure ...

Actually Oracle bought SUNs server biz.

Java was an addition they never knew how to use - until they came up with using it as tactical weapon in court to unfairly attack competitors.

"creative choices" in API naming... can't make that shit up.

The only thing "creative" I see here is the Oracle legal argument....

Beware, Tesla might take away your car's autopilot if you buy its vehicles from third party dealerships – plus more news


Re: bits of your car not working...

This is more like a traditional car maker breaking into the car you just bought from a dealership and removing a feature ( say, the NAV system or the seat heating ) because " - you - did not pay [the manufacturer] for it" ...

Sounds weird, in case this story really happened that way ...

Just because a "feature" of a car is a configurable software item and not a physically installed item, it still belongs to the car's features that are sold to the first customer who for all I know should be allowed to sell it to a new owner via dealership or directly.

WannaCry ransomware attack on NHS could have triggered NATO reaction, says German cybergeneral


Re: Exactly, attribution is THE problem.

I assume you are aware that Hacking attacks can - and in fact are - also be executed from the soil of the US, UK, Germany, France, etc.

If so, how much of a nail are these countries?

How appropriate would be military action in these cases?

And why should other countries be more of a nail, just because we do not live there?

Nope, thinking about responding to a Virus/Malware with military force is simply stupid.


Exactly, attribution is THE problem.

"If the only tool you have is a hammer, every problem looks like a nail" comes to mind ...

Applying military "thinking" to civil problems like computer security is a danger to public security.

Is this just a General trying to appear relevant or NATO trying to do the same?...

In the red corner, Big Red, and in the blue corner... the rest of the tech industry


Re: Not Just Re-Implementing

That's how Oracle tries to muddy the water ...

Oracle basically claims that the hard thought-out and innovative names of functions and parameters, aka "the API" were copied/stolen by Google.

They never claimed the implementation itself was copied/stolen - but they sure as hell make it sound like that to the judges.

Oracle and Google will fight in court over Java AGAIN and this time it's going to the Supremes


From the principles it is the exactly same setting.

SCO claimed copyright on kernel API. So despite of a clean-room implementation Linux would have violated copyright.

Oracle claims copyright on API descrption on Java functions, so even clean-room re- implementations of the API would violate copyright.

You are right. No idea who owns the SCO ccopyrights these days, but they will rise in value massively, should Oracle win.


Re: Is this the new way that lawyers present themselves in public?

Is it just me or is insisting that black is white actually the common way ?

For lawyers AND Oracle ...

Google: We've achieved quantum supremacy! IBM: Nope. And stop using that word, please


Sudden outbreak of common sense at IBM

IBM argues against hyping test results - I'm positively shocked :-)

Hope they keep the same level of sceptism when announcing their own next results in the field...

IBM: Why yes, Red Hat is doing great. Thanks for asking. The rest of Big Blue? Sure, wait – someone's at the door...


Re: Ginni's cunning plan...

Improbable, as RedHat, just like any other Linux Distro, is pretty replaceable.

Re-training support staff from RHEL to another distro should be completed quickly if need be.

There's just not enough lock-in potential for IBM to get away with big price hikes or changes in the licensing fine print the way Oracle does it.

That said, I like RHEL, the way RedHat behaved as a company and how they were easy to work with.

I hope that will not change under IBM.

But, if it does, we are ready to move...

Tut – you wait a lifetime for an interstellar object then two come at once


Space ist -really- big and for the most part depressingly empty

Even at a rate of 2 Million in 2 years there would not be a goot chance of any direct hit with any solar system body, let alone tiny earth ...

However, the night sky view would become spectaclular : Imagine 10.000 active comets when you look up in the dark at night :)

Zapped from the Play store: Another developer gets no sense from Google, appeals to the public


Kafka's "The Trial" was not meant as an organization or service blueprint, Google ...

Dystopic situation to be in... being punished and not knowing why.

Hong Kong ISPs beg Chinese govt not to impose Great Firewall on them


The Chinese Government not used to handling an informed population ...

It's easy to control a population if you completely control the News and all Internet activity - and the chinese government semms to have been gotten dependant on that level of control.

You can manipulate their perception, can blatantly lie to them whenever it suits you and can make them love the heroes of their government and the KP- even though these organizations roughly have the same percentage of corrupt bastards as in every other government.

Together with the social scoring system that enforces citizen's compliance and curbs any critic to zero - even by people you just happen to know - Mainland China has become a full-fledged police- and surveillance state that basically knows what people think and punishes them for thinking the "wrong" things or holding "wrong" opinions.

It must feel really alien to the chinese KP to not have that level of manipulation and control over Hong-Kong's population.

Must be like driving a bycicle hands-free.

Biz forked out $115k to tout 'Time AI' crypto at Black Hat. Now it sues organizers because hackers heckled it

IT Angle

Re: Openly and fairly...

Judging just by the video linked in this article, I think it's perfectly open an fair to call bullshit on this "solution".

In fact, if the presentation maintained only about half the fantasy level of the video , I'm surprised they were even able to finish the presentation ...

Both, hackers and engineers, are not known to tolearate fantasy marketing very well.

Leaked EU doc plots €100bn fund to protect European firms against international tech giants


Re: What makes the EU think they can do better than the VCs?

Probably the fact that all VC money is currently spent on "doing XXX with blockchain/KI/Deep Learning" and more general on startups that promise to gather, use and sell sensitive customer data as recklessly as the current market leaders?

Donald Trump blinks in his one-man trade war with China: US govt stalls import tariff hike on Chinese phones, laptops, electronics


Re: "I saved the Christmas!!!"

And that is also the reason why existing or announced tarriffs will not lead to significant relocations of production capacity.

These relocations need several months to several years to be planned & executed. Several more years in stable economic situations to pay for themselves.

And that stability can not be expected from the US government.

Either Trump tries raising taxes permanently, tanks the US economy and loses the next election or he will soon drop the new taxes in response a a probably meaningless "fantastic deal" he will pretend to have reached with the Chinese.

In neither case these tarriffs will last anywhere long enough to justify any long-term relocation of production capacity back to the US.

Neuroscientist used brainhack. It's super effective! Oh, and disturbingly easy


Yep: Think Otherland instead of Ringworld

OK, the Ringworld reference was quite obvious from the Rat's "optimization" of behavior.

However, maybe Tad Williams' novel "Otherland" might offer a not quite so frightening scenario on how to use/abuse such tech, if it should become available and really reach that level of tactile and visual sensoric input.

Court drama: Did Oracle bully its customers into the cloud? Nine insiders to blow the whistle


That's because Oracle licensing IS meant as a trap ...

To be fair to your DBAs: The licensing traps like D&T, AWS, hot/cold standbys, SAN replcation, etc. are carefully avoided in technical DBA trainings and even experienced DBAs I work with are often fully ignorant of the licensing status of their installations, if they work in a puerly technical capacity.

Even Oracle sales staff will not allways produce correct answers when calculating the number of licenses for a given, even slightly complex, setup...

Especially if it involves Cloud components other than Oracle's legacy stuff ...

This, let's call it 'situation', opens up a nice huge attack surface for the other Oracle sales staff (auditors) to ram new products and services into existing victims/customers.

So this licensing complexity problem with Oracle products does not seem to have happened purely by accident.

It seems to be a carfully designed strategic sales tool of the worse kind.

Oracle co-honcho Mark Hurd can't wait to turn your $1 of IT support spend into $4 of pay-as-you-go cloud revenue


"We don't have an IT person" ... and selected Oracle Cloud to run our business

I have a feeling as if these 2 facts might be connected ...


Re: license audit/support strong-arm tactics

Yes, just imagine having a company behaving like Oracle posessing all your data AND servers, giving them the power to take your whole company fully offline in case of a commercial dispute.

President Trump sits down with Twitter boss for crunch talks: Why am I losing followers?


According to Twitter's policy about promoting more "civil" discussions...

they should probably treat this Twitter account as the mental health issue it is and simply close it..

New UK counter-terror laws come into force today – watch those clicks, people. You see, terrorist propag... NOOO! Alexa ignore us!


What are they trying to prevent - instant brainwash?

Is such law based on the assumption that terrorist propaganda, in a way, _creates_ more terrorists? So that a normal, law-abiding citizen just reads through some BS posted online and thinks: "Hey, killing people and using $DEITY or $IDEOLOGY as a pretense might be a great idea after all"?

Is it instant brainwash that should be prevented by this law?

Looks like someone watched too much Sci-Fi...

This is an interesting interpretation of "free will" and free speak that seems to form the rationale of this law.

Also note that the definition of what might be regarded as terror OR propaganda is rather foggy ...

Huawei savaged by Brit code review board over pisspoor dev practices


Re: "Likely, similar issues will be uncovered in most other equipment."

No, that is "Likely, similar issues _would_ be uncovered in most other equipment, _if_ said other equipment was put through the same detailed tests"... but it isn't.

Oracle asks Supremes to snub Google's Java API copyright protest – and have a nice cuppa tea, instead


If Oracle wins, expect the SCO-vs-Linux case to rear its ugly head again ...

After all, SCO also claimed copyright violations that centered around the header files of kernel functions.

So Google using the API defintions of Java to cleanly re-implement the bodies of internal Java functions ist to me ( programmer, not lawyer) exactly the same.

As Red Hat prepares to become part of Big Blue, its financials look as solid as Linux kernel 2.4


Wise move financially? Perhaps. Culturally? Nope ....

The culture you need to maintain to retain staff in a company that is actively developing on the bleeding edge of IT and the culture of IBM ( or any on of the remaining IT dinosaurs) are two very different things.

Let's see what happens to RedHat's innovative drive - and revenue - once the standard IBM management techniques regarding (or better: disregarding) their human ressources kicks in.

This ain't AI, it's a goddamn arms race – but US shouldn't get too heated, Congressman warns


AI has become the latest pretense to funnel money and favorable regulation changes to corporations?

This must mean AI has now truly joined the industrial mainstream... thought this would never happen :)

Two in five 'AI startups' essentially have no AI, mega-survey of nearly 3,000 upstarts finds


19 is equivalent to hyping your startup as utilizing "blockchained AI" ...

22 would be Artificilally Intelligent Blockchains hosted serverless in the cloud and distributed via mobile App....

Seems to work in tech, too...

Age checks for online pr0n? I've never heard of it but it sounds like a good idea – survey


Re: Age check = ID

The one sensible idea in this whole mess is having a third-party do the actual identity validation completely independently from anything else. They are then able to provide some sort of verification token to any site that asks for it, presumably based on some sort of username/password you provide,

Yep, but providing uid/pw to a second or third party also reveals your identity to that party.

The possible promise of said third party to immediatly forget your identity after the queston does not count.


Age check = ID

The real problem: There is no anonymous way to prove your age.

You can only prove it by publishing also your identity to every site you want to access which does not seem to be the brightest of ideas for multiple obvious reasons.

The biggest uptick in demand for software devs by bosses is for... *rubs eyes* blockchain engineers?!?


Agree :)

Writing 3 LOC programs which work perfectly, but I won't understand myself any longer after 2 weeks IS fun.

Moneybags Buffett on ditching Oracle stake: I don't think I understand where the cloud is going


He doesn't understand "cloud" - well, neither does Oracle ...

Oracle still thinks it is becoming a cloud vendor, while in reality they are a tool vendor with a hardware compartment and identity problems ...

Cloud is the reason they they are losing territory due to detoriating tool quality and byzantine licensing terms & conditions in non-cloud and foreign-cloud environments .

It's a good thing Mr Buffet admits to himself he does not really understand the market and draws the correct consequences.

That is exactly the way Oracle is not acting.

Who needs malware? IBM says most hackers just PowerShell through boxes now, leaving little in the way of footprints


So there might still be hope for IBM?

A news item from IBM that does neither contain "Watson" nor "cognitive" and that contains a valid analysis plus some good advice.

That's better than IBM news bites have been doing for years...

You're on a Huawei to Hell, US Sec State Pompeo warns allies: Buy Beijing's boxes, no more intelligence for you


Protecting their own industry AND their involuntary intel sources

As the NSA is known to be bugging US-bult servers and routers before delivery for years now, this move not only protects the american industry, but also ensure continued "information sharing" by allies...

Smaller tech firms just aren't ready for a no-deal Brexit, MPs told


Re: Taking Back Control!

yeah, true.

UK government takes back contol, but - based on what I see in the live stream from british parliarment- doesn't know how or where to drive the country any longer.

Without a deal EU companies are no longer automatically allowed to host data and services in the UK starting April 2019.

Likewise, UK IT staff is no longer automatically allowed to work remotely on EU data.

Hosting data/apps in the UK will be comparable to hosting them in the US or in northern Africa - regulation-wise. The potential legal problems will be enough for most companies to re-locate data and services inside the EU and staff it purely with EU citizens.

I guess there's not much individual businesses can do to prepare for that scanario. They will simply be excluded from what is currently a sizeable portion of their market.

Swiss Public Prosecutor will probe WIPO's misconduct allegations against CIO, says his legal counsel


WIPO is a broken organization

Out of control without effective ethics and compliance enforcement. Thank god they are not responsible for anything important and have nothing to do with anything "legal" ...

Facebook cuts off independent political ad reviewers, claims security concerns


Finally FB cares about privacy

even if only about privacy for their revenue earned for letting their customers manipulate the western political systems...



Biting the hand that feeds IT © 1998–2020