* Posts by really_adf

189 publicly visible posts • joined 21 Feb 2017

Page:

Datacenters near Heathrow seemingly stay up as substation fire closes airport

really_adf

Re: Redundancy has a cost

"NASA (and ESA/JAXA/etc) are the only ones who understand the true utility of redundancy and who are ready to support the cost of it, because when your probe is a billion miles away, you'd better hope that you have a functional backup plan if something goes wrong."

This seems a bit unfair: redundancy is prevalent in human safety-critical areas, though arguably too often only due to lessons written in blood. The on-board systems of aircraft are an obvious, fairly topical example but even everyday things like "mirror, signal, manoeuvre" incorporate redundancy.

really_adf

Questions will doubtless be asked

"Questions will doubtless be asked about why Heathrow doesn’t possess sufficient generation capacity to cover and event of this sort – like datacenters do."

I'm sure safety-critical airport functions (eg air traffic control, radar, runway lights and radio navigation aids) do have backup power so they can continue for a while. Buit all the things needed to support "customers" (which does not include perople arriving in an emergency) is probably approaching the power requirements of a small town.

I think the more interesting question is why the substation is apparently a single point of failure. I guess the answer is a combination of increaed power consumption and minimal infrastructure investment to support same, perhaps in part due to those datacentres.

Tiny Linux kernel tweak could cut datacenter power use by 30%, boffins say

really_adf

Re: if hardware is twice as fast next year

I'm not aware if such refactoring is available in modern toolchains. I hope it is, because the compiler itself is handicapped to follow what is laid out in the object definition.

As has been pointed out by others, the compiler can't reorder things because it would break interoperability. But even ignoring that (ie if the compiler somehow knows it could reorder), the order that is optimal for performance will typically (on systems with caching and prefetching) depend on access patterns and would be extremely difficult, if not impossible, for the compiler to correctly predict.

I don't see the compiler as "handicapped". Rather I see it just doing what the developer told it to, simultaneously solving interoperability and keeping it simpler. There is an underlying assumption that the developer knows what they are doing, but for C++ (or C) you have bigger problems if that isn't the case.

SLAP, Apple, and FLOP: Safari, Chrome at risk of data theft on iPhone, Mac, iPad Silicon

really_adf

Difference in response compared to Spectre

As I remember, there was quite a lot of fuss around various speculative execution-related vulnerabilities, with numerous mitigations each usually contributions done performance detriment. There seems less concern here.

The reason for the difference in response is unclear to me. Are the vulnerabilities discussed in the article quantitatively less severe? Good PR effort from Apple? Something else, or a combination of factors?

Europe, UK weigh up how to respond to Trump's proposed tariffs. One WTF or two?

really_adf

Re: when

[When] is someone going to just tell Trump to fuck off

Anders Vistisen, in his role as a Danish MEP, did exactly that the other day.

really_adf

Re: And

"...communities fracture and break up until everyone is looking out only for their own interests - even to the extent that there’s no safety net for the most disadvantaged in society and only the richest can afford healthcare, security and education."

The American way, at least in the eyes of some?

"... think what we could achieve if we all pulled in the same direction, rather than squabbling amongst ourselves?"

s/could achieve if/have achieved when/

Faulty instructions in Alibaba's T-Head C910 RISC-V CPUs blow away all security

really_adf

As a CPU micro architect, using a physical address in the vector unit is easier... it's cheaper in hardware implementation terms.

True for everything, not just the vector unit, no?

The hardware implementation might push for it, or say translating the first address... then running with that, but the only sensible solution is to translate every address, not in the same page boundary as previous addresses.

Would it be a reasonable compromise (between hardware complexity/performance and software constraints) to require each read/written address range to be wtihin a page, so that translating the first address of each source/destination is sufficient? Conceptually similar to requiring "load/store word" instructions to use a word-aligned address, but at a larger scale.

Such a choice would be acceptable for an embedded processor with no user access to these instructions.

No doubt there are use cases for vector instructions in privileged code, but I'd guess at least as many in user-mode code and on that basis, designing them to be available in user mode but always use physical addresses makes no sense (except as a deliberate back door).

really_adf

Is there any other processor that allows physical addresses except at the very very very lowest OS level?

Clearly, an OS can't provide memory protection if any user process is able to write to arbitrary physical addresses, so the answer must be "no" or very close to that. But there doesn't have to be an OS...

That’s a really serious bug, isnt it?

In other words, how did this get missed? The only obvious answers I can think of are that it wasn't tested, was only tested with the CPU in a mode that doesn't use address translation (by which I roughly mean "without an OS") or was only tested with the translation being physical == virtual.

A related question is whether this is a "simple" bug or not. It seems odd to me that only a particular instruction is mentioned as affected.

CrowdStrike hires outside security outfits to review troubled Falcon code

really_adf

Re: Zero Content File

Umm, yeah, the result of a file full of zeroes going (unless I am mistaken) entirely unmentioned is puzzling. It seems almost like the sort of thing a journalist ought to dig into...

W3C says Google's cookie climbdown 'undermines' a lot of work

really_adf

Re: The W3C is living in cloud cookoo land

"With tracking enabled, we get ads for big-ticket items we've already purchased, ads for things we looked up out of curiosity, ads for stuff somebody borrowed a machine to check on real quick, ... Not counting the 90% of ads which appear to be outright scams."

For me at least, "ads for big-ticket items we've already purchased" is a subset of "ads relevant to a page I recently visited when I have mentally moved on to something else." Excluding the specific case (where it is obviously useless), there may be some level of subconscious effect but it's surely much, much less than when the product/service being advertised is relevant to the page I'm currently looking at, and the sort of thing I may be thinking about.

Is the tracking enabled by third party cookies, which create all the privacy issues, as beneficial as it is purported to be? Or is it, like some ads, just another scam?

really_adf

Re: The W3C is living in cloud cookoo land

"No tracking, ever" is perfectly acceptable to me, and I'm sure many others.

I guess you mean it's unacceptable to advertisers, but their ancestors managed fine for decades if not centuries without the tracking of today's web, so the current lot can go fuck themselves as far as I'm concerned.

Microsoft's Azure networking takes a worldwide tumble

really_adf

"We have multiple engineering teams engaged to diagnose and resolve the issue."

Two teams, each pointing their fingers at the other?

Nasty regreSSHion bug in OpenSSH puts roughly 700K Linux boxes at risk

really_adf

Re: sshd restart required after upgrade

A useful warning but it's worth noting (as described in the Arch package issue you linked) that's because of an unrelated change between 9.7 and 9.8, so won't apply where packages have a backported fix, nor if, unlike Arch, the restart is done for you by package scripts (a choice with pros and cons).

Also, in this case I think the potential for exploit is after the long-running sshd process has exec'd itself meaning the fix is effective without restarting sshd, but the conservative assumption and general case is that a restart is necessary so this should be standard practice anyway.

Google Chrome coders really, truly, absolutely ready to cull third-party cookies from 2024

really_adf

SAML seemed to do the job 20 years ago. Albeit with horrendous XML baggage.

Microsoft admits unauthorized access to Exchange Online, blames Chinese gang

really_adf

Re: Aquired taste

How did their MSA signing key get “acquired”?

Yes, and more importantly, how will that be prevented in future? Microsoft seem to have reasonable measures in place to detect and assess the problem, as well as the processes to mitigate it, but prevention is better than cure.

How could they have such a fundamental vulnerability as allowing tokens signed by a key for a consumer service access their enterprise service (OWA)?

I think "consumer" in "consumer signing key" refers to a service that validates and uses (ie consumes) the token that was produced and then signed using that key, not "consumer" as in "consumer-grade".

Another important question is, given the key provided "access to email accounts affecting approximately 25 organizations including government agencies as well as related consumer accounts of individuals", what else could have been accessed with it? If a single compromised key allows access to email of more than one organisation, what are the chances it was limited to those?

Cisco kindly reveals proof of concept attacks for flaws in rival Netgear's kit

really_adf

Re: ummm?

I think you're thinking of Linksys, bought in 2003 by Cisco and sold in 2013 to Belkin (according to Wikipedia).

Fat EVs may cause 'more death on our roads' – watchdog

really_adf

Re: American cars are too heavy - solution blame electric cars

It's of course true cats have got bigger and, especially, heavier. Part of it is crash safety, part "mod cons" all adding up. EV batteries make the problem a double whammy.

The only real solutions are fewer cars and better drivers. So we're fucked.

Too big to live, too loved to die: Big Tech's billion dollar curse of the free

really_adf

Re: Serves Google right

Of course, email is not a reliable transport, and anyone who doesn't understand that is an idiot. It was never designed as such, however.

On the contrary, It was expressly designed to be reliable. A core principle is thot when an SMTP server accepts an email, it promises to deliver it to a mailbox or pass on that responsibility to another system, and notify the envelope sender if it can't do either.

Accepting email but neither delivering it nor notifying the sender - usually because it "looks like spam" - is the violation of the above that makes it unreliable. "Backscatter" favours not accepting email that will not be delivered (or forwarded).

(I didn't downvote, for the record.)

Microsoft feels the need, the need for speed in Teams

really_adf

Re: Well, every little bit helps

upgraded from 'crippled slug' to 'drunken sloth'?

Pretty much my first thought. When it's so pathetically sluggish to start with there's plenty of scope for improvement.

The most amusing note to me was, "the Windows biz has apparently cut the latency involved with raising a hand by 16 percent."

(a) The UI latency of such an action being significant enough to consider measuring in the first place says there is a problem (network latency is unavoidable, but that should apply only for others to see a raised hand).

(b) IMHO the meaningful measurement is the time from beginning to act to raise your virtual hand until that action is completed. That increased manyfold when the UI was changed to move the button under "Reactions" and no technology improvement can ever recoup that.

EU puts smart device manufacturers on the hook for cyber security

really_adf

"Expected product lifetime ... or five years"

The fact sheet gives an obligation of the expected lifetime or five years. Who decides that lifetime?

Also, it's "whichever is the shorter". It certainly seems ridiculous for a car manufacturer to have no requirement for what is in practice more than half the lifetime of a car.

While a car is probably the most extreme example, similar can probably be said for many products.

Interconnect innovation key to satiating soaring demand for fiber capacity

really_adf

Why AI/ML?

Symbol rates, power levels, FEC parameters etc have long been managed to optimise links without any AI/ML, so what does that bring to the party?

Tech world may face huge fines if it doesn't scrub CSAM from encrypted chats

really_adf

Re: Will it happen?

No sensible Prime Minister would appoint [Nadine Dorries] to a cabinet position.

I'm not sure that answers the question of whether it will happen.

Website fined by German court for leaking visitor's IP address via Google Fonts

really_adf

Re: Faster web sites

Yes and no. A site hosting its own fonts, JS libraries, etc means no need to connect to other servers, But you'll download common resources once for each site, instead of just once.

I'm not sure I understand the basis of the fine. If I host a site, visitors must reveal their IP address to those operating intermediate routers. The visitor has no control over this. That's OK, because there's no alternative? I can reference remote resources but only if hosted by a provider that assures me it won't use the IP addresses it sees, beyond what is necessary?

US watchdog opens probe into Tesla's Autopilot driver assist system after spate of crashes

really_adf

Re: A solution looking for a problem

Is Autopilot a level 5 system? No

Does that mean it’s inherently bad? No

In and of itself, the latter may be true. However, the combination of the former, the name and human nature seems very likely to result in something for which "inherently bad" seems an appropriate description. That result is what is important, and seems to be supported by evidence.

Another question is, can anything less than a level 5 system avoid that result? If not, does it not follow that as long as the answer to your first question is "no", the answer to your second question is "yes"?

Adobe yanks freebie Creative Cloud offer – now universities and colleges have to put up or shut up

really_adf

Nowadays, if you asked someone to name a vacuum cleaner brand they'd probably say Dyson.

If you ask people to name a hoover brand, I think more would say Dyson than Hoover.

Venerable text editor GNU Nano reaches version 5.0 and adds the modern frippery that is scrollbars

really_adf

It seems typical of the GNU mindset to think "Ah! But the user may be using a machine without function keys!" It's 2020.

Personally I find function keys just a little too far away from my fingers, and I can't find them without looking (but I guess that's at least partly because I don't use them much). So perhaps "machine without function keys" is not the reason, or at least not the only reason.

With a wave of Nokia's wand, behold as your 4G network magically becomes... 5G

really_adf

Re: Whats not to like ?

The catch is that NR makes a whole slew of optional and rarely used features in LTE-A mandatory. The big one IMHO is carrier aggregation, ...

Sounds like this is something that the software update doesn't need to enable: use of the feature is controlled by the network. That is, it's a problem if not supported by phones, which won't work if the network uses it.

Call it a hunch but from Suri's previous comments I suspect the approach is technically questionable (ie will not deliver various intended benefits of 5G), and has been pursued by Nokia for non-technical reasons.

Apple said to be removing charger, headphones from upcoming iPhone 12 series

really_adf

Re: Yes please

Just... don't expect to be able to tell the difference in the price. After all, combined these two things together probably only cost a couple of quid at the volume Apple makes them...

Possibly more saving from reduced packaging and transporting more boxed phones per unit volume than the cost of the electronics.

GitHub to replace master with main across its services

really_adf

Re: "There's no slave in git though"

Masters are the official finalized recordings from which copies are made. A Git master branch constantly updates, so it should be main or devel.

The "master" branch is analogous to a master copy in that it is (in many cases) the one from which copies are made (new branches). Of course, I can't deny the "finished" aspect breaks the analogy, but then there's no such thing as finished software :).

Also, some people seem to think that by changing the word from master to main (or blacklist to blocklist) it's a condemnation of those who previously used the terms. It's not.

Regardless of the motive for change, the problem is that there are some people who will see it as a reason to condemn those who previously used the terms.

Edit: the point of this being that you can't win.

An Internet of Trouble lies ahead as root certificates begin to expire en masse, warns security researcher

really_adf

Re: What problem are the certificates solving?

iPlayer can ship with Public Key A

I think you're describing the same thing as I was trying to. I called it key0.

So it works as long as the first connection is within the expiry date of the initial download or pre-installation, and it's run often enough.

The same is true if you use certificates from a public CA, and embed the roots in the client with a way to update them (provided that's done in time).

It's the expiry that makes it functionally similar, even though the detail is different. The benefit you describe comes down to having control over expiry. You could equally get this with certificates by using a private CA, without the wheel reinvention: you just need to be able to specify which CA certificate you trust and have a way to update that certificate.

really_adf

Re: What problem are the certificates solving?

So is the PKI there to perform some other function, or is it just being used because the code is there already so it's easier than finding a domain-specific solution?

Just because it's easier doesn't mean it's a bad thing: as with encryption, using existing code is generally a good thing for authenticating a server.

To answer your question in the title: I think the obvious answer is that certificates are intentionally providing a time limit to the trust, because eventually, the private key matching the public key in the root certificate will be discovered.

Say you wish to avoid PKI. On the face of it, embedding (say) an RSA public key in the client and validating signatures would work fine. But there would need to be some mechanism to periodically change the key, because eventually the private key will be discovered.

I think this could work safely through a chain (key0 used to sign key1, key1 used to sign key2 etc), but only if that chain is unbroken, which can't be guaranteed unless you trust key0 forever, which is a bad idea because eventually the private key will be discovered.

I can't see a way out of this...

really_adf

Re: start using DANE and CA if you must

https://tools.ietf.org/html/rfc7671

Doesn't this either just move the problem to DNSSEC, so you get the same issue due to https://www.icann.org/resources/pages/ksk-rollover, or (more likely) avoid it only because of absolute trust of wherever you get your DNS answers from? (Genuine question.)

Guess who came thiiis close to signing off a €102k annual budget? Austria. Someone omitted 'figures in millions'

really_adf

It's not really about marketing (well OK, maybe a little bit.) Hard disk capacity used base 10 units once the average disk size got a little too big for conveniently using base 2 units, as they are a linear/serial storage medium which means a disk platter's capacity can be any number of bytes you like.

At the read/write head, hard drives are basically serial, but (for a long time) from the outside, they are random access devices addressed by sector. The capacity is actually any number of sectors you like. Sectors have a power-of-two size, as a natural consequence of the fact they are buffered in RAM. This may explain 1MB = 1,024,000 bytes being used for a while; this is the definition applicable to a "1.44MB" floppy disk.

Binary prefixes are a natural convention for memory chip sizes: they simplify expressing exact values because the chips have both a power-of-two addresses (a number of address lines) and a power-of-two data lines. Decimal prefixes are a natural convention for line rates: they simplify expressing exact values when, as is typical, a factor in the rate is a clock frequency defined with a decimal prefix.

The rationale for a convention is less clear-cut and often varies in other cases, such as hard drive sizes. This, I assume, led to kibibyte etc to disambiguate.

There's a new comet in town and you don't need a fancy multi-million-dollar telescope to see it. Just regular eyeballs

really_adf

Re: I'd like to see it

I'm in the middle of Austin. We see no stars at all. Just the Moon, Venus, possibly Mars and maybe, just maybe Jupiter at times

"Possibly Jupiter and maybe, just maybe Mars at times" is more likely. Put another way, if you can ever see Mars, you will be able to see Jupiter regularly.

The maximum apparent brightness is basically the same, but Mars is more variable. I think the primary reason for this is that the orbit of Mars is more eccentric. An instructive diagram and more here.

Coronavirus didn't hurt UK broadband speeds in March. Call of Duty: Modern Warfare, on the other hand...

really_adf

"Ofcom attributes the resiliency ... to their ability to scale with demand."

"Ofcom attributes the resiliency shown by broadband providers to their ability to scale with demand."

I'd have thought it's more down to daytime not being the normal peak for domestic ISPs; no need to scale (much) if capacity is already (mostly) there.

Fancy some post-weekend reading? How's this for a potboiler: The source code for UK, Australia's coronavirus contact-tracing apps

really_adf

I am sceptical that it has to have location permissions granted to use bluetooth.

https://developer.android.com/guide/topics/connectivity/bluetooth#Permissions

'Optional' is the new 'Full' in Windows 10: Microsoft mucks about with diagnostic slurpage levels for Fast Ring Insiders

really_adf

Re: How can "Diagnostic Data Off" and "Required Diagnostic Data" coexist?

Or is this like saying if you go out for dinner tonight, it's required that you dress a certain way—but you can still choose to stay at home instead?

I think that's basically the logic. I can see some sense in the wording by reading it from Microsoft's perspective, but surely the wording should have been chosen for the users' perspective. For example, "required" is the minimum required for any useful diagnostics.

I think off/minimum/full would be the most clear (to the user) options for the implied result of the choice. Whether the actual result matches this (ie whether "off" really means "off", as you mentioned) is a different matter.

Amazon staffer based just a stone's throw away from Seattle HQ tests positive for COVID-19 coronavirus

really_adf

Re: Doesn't check out

No, I don't think this virus is really as scary as people make it, the main problems are that it seems to spread easier and quicker than an influenza and that there is no vaccine.

...

Mortality seems to be comparable, so maybe we are overreacting a tad?

More infectious and no vaccine with the same mortality means more people dying, no?

Dual screens, fast updates, no registry cruft and security in mind: Microsoft gives devs the lowdown on Windows 10X

really_adf

Microsoft; you need to learn what legacy means before you can even think about improving Windows.

I think Microsoft know full well what legacy means, this is just the (wishful) thinking of one part of the organisation that is at odds with other parts, those being more in touch with reality.

Is it a make-up mirror? Is it a tiny frisbee? No, it's the bonkers Cyrcle Phone, with its TWO headphone jacks

really_adf

Re: On the plus side...

The snap had been shot by my wife on her smartphone (Ugh) so it was in 3:2 format (re-ugh). I took care to re-frame it properly and change it to the proper 4:3 format for photographs, only to have the millenial shopkeeper tell me that she'd have to crop it as it was not in a standard format.

"Proper photographs" - that is, on 35mm film - are 3:2 (https://en.m.wikipedia.org/wiki/135_film). Hence 6x4 (inch) prints.

Who loves Brexit? Irish distributors ... after their sales jump by a third

really_adf

Re: Insurance

It’s very rare insurance predictions are wrong.

Natural selection: insurance companies making bad predictions die?

Physicists are rather giddy after creating a rare type of laser using laughing gas

really_adf

Re: Radar

Much more than twice the range, surely: reflection won't be perfect, and a "useful" return signal will be stronger than the minimum detectable.

Complete with keyboard and actual, literal, 'physical' escape key: Apple emits new 16" $2.4k+ MacBook Pro

really_adf

Re: Selective deafness

Most people who buy a computer (laptop or desktop) for work don't care so much about looks.

I'm not sure about "most"; I think it depends on whether you want to actually do work on it or because you are a superficial twat, eg many in sales, marketing and management.

Google warns devs as it tightens Chrome cookie security: Stuff will break if you're not clued up

really_adf

Re: Finger Printing and The DMCA

If corporations can have a law that prevents circumvention of the what they do to protect their data (DMCA), then why can't we have one to prevent circumvention of tracking and privacy tools/controls that we use to protect our data?

That's a very clear way to put it, and I can't see a reasonable argument against it. Have an upvote.

We read the Brexit copyright notices so you don't have to… No more IP freely, ta very much

really_adf

So that’s the end of cross-EU mobile roaming, then. Why would companies pay for this when they can pass the costs on to the customer?

The obvious answer is because none of them want to be the first company to start charging for EU roaming.

We're going deeper Underground: Vulture clicks claws over London's hidden tracks

really_adf

Re: Why obsolete?

According to the totally reliable Wikipedia it was five times more expensive to operate than on road vehicles (disputed by the Communications Workers Union who said it was only three times as expensive).

Could be viewed as: road vehicles should be three/five times as expensive as they are...

Sudo? More like Su-doh: There's a fun bug that gives restricted sudoers root access (if your config is non-standard)

really_adf

Re: As a ex sys-admin....

You should be able to assign administration accounts only the rights actually needed in a "JEA security" type model.

Err, that is literally exactly what sudo does (bugs aside). Its configuration says which users can do which things as which users. Such as "members of this (administrative) group may stop/start this service".

The NetCAT is out of the bag: Intel chipset exploited to sniff SSH passwords as they're typed over the network

really_adf

Why is SSH (as a protocol) singled out here?

Because it's by far the most likely way to access a machine with an application warranting the vulnerable infrastructure requirements?

Page: