* Posts by sweh

38 publicly visible posts • joined 6 Jul 2017

BASICally still alive: Classic language celebrates 60 years with new code and old quirks


Re: BBC Basic

10 DIM C% 50

20 FOR A=0 TO 2 STEP 2

30 P%=C%

40 [OPT A

50 LDX #0

60 .lp

70 LDA msg,X

80 BEQ fin


100 INX

110 BNE lp

120 .fin

130 RTS

140 .msg

150 EQUS "Hello, world!"

160 EQUB 13

170 EQUB 10

180 BRK

190 ]

200 NEXT

210 CALL C%

I can fix this PC, boss, but I’ll need to play games for hours to do it


The opposite

Back in the early 90s (in my first job), I convinced my boss to play games (OK, OK, Solitaire)...

This was early in Windows days (3.1?) and he came into my office with a new laptop and a copy of windows and office and told me to get it working. OK, no problem. Install..install..install..lots of floppy swaps later...

I took the machine into his office and showed him it working.

"Great, now how do I learn how to use this?"

Thinking furiously, I made up some bullshit on the spot. "There's these games <here>. I recommend playing Solitaire. It sounds silly but it will get you used to basic functions like moving the mouse accurately, clicking, drag'n'drop and so on". He looked skeptical, but agreed to try.

Two days later he came back into my office and slapped me on the back and said "That game you told me to play? It worked! Thank you"

At last: The BBC Micro you always wanted, in Mastodon form



The old-school not-an-AI. e.g. https://8bs.nerdoftheherd.com/8BS48/content/2-eliza/

Hershey phishes! Crooks snarf chocolate lovers' creds


I moved to NYC 22 years ago, and wandering around I found some Cadbury's Fruit and Nut. Since I was a little home sick I bought it. And after tasting a few chunks was almost sick. Checking the label I saw "Made under license by Hershey".

That put me off Hershey chocolate!

40 years of Turbo Pascal, the coding dinosaur that revolutionized IDEs


FreePascal FTW! https://www.freepascal.org/

Share your 2024 tech forecasts (wrong answers only) to win a terrible sweater


AI and Quantum computing turns out to be good.

OpenAI will crack Quantum Computing so efficiently that it will run on a "Raspberry Pi 6 (Quantum Edition)". All TLS cryptography is rendered useless as a result. Internet banking collapses and banks have to re-open branches, with the Post Office opening new offices to support smaller communities. Cash becomes king again.

The extra foot traffic revitalises the small town High Street. Public transit requirements grow and the bus networks expand to cope. Employment levels approach 100%.

Google Drive misplaces months' worth of customer files


Re: Take responsibility

I also have the 6 account "family" plan; with work discount that's $75/yr for 6TB of cloud storage.

I use it as an offsite copy of my backups, using rclone to do the copying (which encrypts while uploading). So I have primary backups onto my raid6, which is my normal "oops, I deleted a file I need it back" store. I rsync that to external USB disks, just incase the raid dies totally. It'd take a while, but I'd be able to restore almost everything. And then I rclone the important bits that to the cloud, just incase there's a fire or something; in this case I wouldn't be able to recover my ripped DVDs/BDs but I would be able to get everything else.

Is that overkill for a home network? Probably! But then I also have 2 DNS servers, 2 DHCP servers, run my own web/smtp/dns/nntp/vpn/... Overkill is kinda what I do :-)

Linux has nearly half of the desktop OS Linux market


Re: Huh?

There's a reason why we now have WSL2; this uses hypervisor technology to run Linux in a micro-VM. This increases compatibility (eg "docker" won't run on WSL1, it runs fine on WSL2). But at a cost. For example, with WSL1 your processes show up in the windows task manager but with WSL2 this doesn't happen; Windows is mostly blind to what happens inside the VM.

Microsoft can easily deprecate WSL1 if they need to, but retain the ability to run Linux apps via WSL2.


Yeah, I started with 0.11 (boot+root disks), as a proof of concept to demonstrate to my manager that this could become a viable alternative to big expensive Sun SPARC systems. They didn't believe me, but I got the last laugh once SLS came out :-)


In defense of Android as a Linux

Android is a Linux distribution. It's just not _desktop_ Linux.

It has a native shell that you can reach without needing to root/break/hack; just enable debug mode and "adb shell" (just like you need to put ChromeOS into developer mode to enable crosh shell). Or you can install termux app (from the app store, so easier than enabling crosh) if you want something more fully featured.

No, it doesn't come with glibc, but then neither do other linux distros like "Alpine Linux", nor other embedded Linux systems (eg OpenWRT).

Because it's not a desktop Linux, programs written expecting a desktop won't easily work nor be portable. But CLI programs and the like mostly just work as expected; you just need to compile for the target hardware and libraries.

In every respect it's Linux; it's just not _desktop_ Linux.

Rocky Linux claims to have found 'path forward' from CentOS source purge


Re: Ignoring the big issue

> Nobody has the right to redistribute source under the GPL

GPL says "1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium"

So once I have the source code I have the right to distribute it anywhere (as long as I "conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program."

There's no _mandate_ that I distribute the source (unless I distribute a binary based on that source) but I do have the right to do it. And whoever I send the source to _also_ has the right to distribute it, and so on.

Red Hat strikes a crushing blow against RHEL downstreams


Maybe this will be sorted, eventually.

This isn't the first time this sort of "You get our binaries and GPL but if you exercise your GPL rights you lose further access to our binaries" issue.

The first one I can recall was sveasoft, who were early in creating an alternate software for the Linksys WRT54G based on Linksys GPL'd releases. They tried this sort of them and were condemned. Sveasoft died, and other alternatives like DD-WRT, OpenWRT etc thrived instead.

Later we had Grsecurity doing the same thing; Bruce Perens was sued for claiming this broke the GPL, but a judge threw it out ( https://www.theregister.com/2017/12/22/grsecurity_defamation_perens_dismissed/ )

In both cases no decision was actually made on whether restrictions like this broke the GPL license.

Now RedHat/IBM are doing this; I wonder if this is now high profile enough to get proper legal attention. Unfortunately any case could take years to resolve :-(

Burger King just sent spam receipts to customers


"I don't always test my code, but when I do I test it in production"

Microsoft announces a new Office for offline fans, slashes support, hikes the price


Re: I think. although maybe harsh

Hmm, I'm paying US$75/yr for a family O365 account; that's 6 users, each with 1Tb of OneDrive storage. 6Tb for $75? That's not a bad price, on its own, for off-site storage!

And with `rclone` (www.rclone.org) to send encrypted backups, and `https://github.com/abraunegg/onedrive` for "live-ish" syncing it means my Linux machines can happily make use of that space.

Philips kills dependence on its Hue hub, pointing to a Bluetooth world


Re: All my bulbs are old now :-(

The hue hub does not need to receive incoming connections from the internet; it reaches out to a google cloud hosted service via https. It does this to receive firmware updates, and to allow for remote control when out of house, and for integration with voice assistants, etc.

And in current affairs... Apple recalls three-prong AC adapters after some shocking behavior



PogoPlug from 2009 did this (although it wasn't wireless). See, for example, https://zatznotfunny.com/2009-10/pogoplug-cloud-realignment/

London's Gatwick airport suspends all flights after 'multiple' reports of drones


Re: Why not kit out airports with anti-drone drones?

Flesh'n'blood hawks do the job just fine; https://www.youtube.com/watch?v=b5DEg2qZzkU

Equifax IT staff had to rerun hackers' database queries to work out what was nicked – audit


Re: I'd like to know

If the cert was being used for passive TLS decryption (a common technique for Data Loss Prevention) then an expired cert may not trigger alarms (the device manufacturer may consider that a normal case; certs do expire, especially if the cert store can handle multiple ones) but the TLS decryption would fail (also a normal scenario).

Since, in this scenario, it's passive no traffic gets blocked and data is no longer inspected.

Cert management needs to be proactive, not reactive.

Chromebooks gain faff-free access to Windows file shares via Samba



Hopefully it'll also work with Microsoft's Distributed File System (DFS) which makes a share look like \\domain\sharename and the service resolves to the best server to handle it (DR, regional replicas, etc). This is something Linux sometimes struggles with.

Security MadLibs: Your IoT electrical outlet can now pwn your smart TV


Re: It's Christmas!

Interesting demographic niche there: old enough to like "Merry Christmas Everybody", young enough to think Alexa is a good idea.

Or maybe old enough to be able to decide for themselves the pros and cons of Alexa and feel that the "fun" factor outweighs the minimal risk.


BTW, I'm 50 this year. Hardly a youngster.


UPnP? Ugh. That's just asking for remote attacks. Let's expose my IOT device to the whole internet. We've never seen that cause a problem before.

The other option is to have the devices reach out to a central server (which is what things like TP-Link Kasa, Frigidaire, Hue, Echo, TiVo...) all do. Now we're dependent on the central server keeping running! We've never seen those companies stop supporting devices or shutdown servers...

At least Kasa devices and Hue hub expose local network endpoints (unauthenticated so anyone on the local network can reach them) so if the central server does go away then at least freeware alternatives can be written.

There is no win... just various shades of lose.


It's Christmas!

"Shoot me now. Please, someone. Just end it before it gets any worse."

At Christmas time I plan on putting the tree lights on a smart switch and programming the echo so I can say "Alexa, it's Christmas!" and the tree lights will turn on and Slade will start playing.

Now that's smart :-)

EU wants one phone plug to rule them all. But we've got a better idea.


Re: Be much more interested in...

"NT4[...]stable and snappy"... yes, it dropped into that stable blue screen very very quickly!

Google Chrome update to label HTTP-only sites insecure within WEEKS


Re: @Tomato42

In the US, ISPs are mostly a local monopoly. You get your local cableco... or maybe Verizon if you're lucky. No real choice.

And when we've seen Verizon, Comcast, AT&T all MITM traffic...

And then you have people using Starbucks WiFi (are you sure you're on the Starbucks hotspot and not someone pretending to be it?) and other free hotspots...

Basically, the underlying transport must be considered insecure.


Re: http://www.bbc.com/

Yes, mixed content is not secure. The browser doesn't (shouldn't!) even attempt to access the http content, by default, which is why some people are screaming ("our ad network is http only; it'll stop working if we move the main server to TLS").

The ad networks will catch up. They'll have to.


Re: Shared Hosting

Umm, you might want to look at the Server Name Indication (SNI) field of TLS; it allows exactly for the situation where multiple hosts share the same IP address.

This solution is only about 10 years old. If your client supports TLS1.2 (and if it doesn't then you have bigger problems) then it should support SNI.

Smart bulbs turn dumb: Lights out for Philips as Hue API goes dark


I'm only 50, and I've seen failed switches. Admittedly that's in America, where I find the whole electrical setup to be scarily bad, compared to what I grew up with in England :-)


Expandability, flexibility, ease of installation.

Maybe the bulb of tomorrow will have a built-in Alexa. Or infrared sensors so they form part of your alarm system. Or speakers. Or motion control (think Kinect on steroids). Or...?

Big Brother

Google Cloud

I've been messing around with a Hues Emulator; a python script that runs on a VM and pretends to have light bulbs attached. The Alexa device detects these and adds them. Now when I use voice control I see a connection from the Echo (oddly, not the one I'm speaking to but another one in another room!) to the emulator. So Alexa voice control appears to be local (once it's been sent to Amazon for processing, of course).

For "out of home" connections, the Hue Bridge makes an outgoing persistent connection to a Hues website. My router conntrack is telling me it is currently connected to - which is "....bc.googleusercontent.com" and has a certificate for ws.meethue.com (signed by some Philips intermediate) - I'm guessing a websockets layer.

Given this is google cloud compute, it's likely Philips pushed bad code...

AWS outage killed some cloudy servers, recovery time is uncertain


Re: Isn't cloud supposed to be fault tolerant?

No, clouds are not meant to be fault tolerant. "The cloud" may always be there and running, but individual instances inside the cloud may die at any time.

Clouds allow you to build applications that are fault tolerant. Indeed, applications should be designed to assume failure. There are many design patterns that can help with this.

This is why "lift and shift" doesn't buy you anything except "outsourced data center". If you build traditional applications and deploy them to the cloud then you need traditional HA solutions as well; duplicated service in a different datacenter, data copying, "DR" processes...

The responsibility for availability in the cloud rests solely on the application owner.

Cryptocoin investors sue Chase Bank for sky-high credit card charges


Re: MasterCard 'clarification' of MCC/SIC code?

This is most likely what happened.

Chase has not changed policies. The surcharge for cash advances has been around for many many years.

Merchant classifications, however, change all the time. Mostly you don't see them because you (as the card user) don't really care. It can affect what merchants may be in-scope for "5% bonus points" promotions, and end of year breakdowns, but normally it's invisible to you. Given the millions of merchants, it would be pointless telling you of changes.

So if this particular merchant had their classification changed so that it now counts as a cash advance then Chase would be perfectly entitled to put the surcharge on.

I fully expect this case to be dismissed.

Gmail is secure. Netflix is secure. Together they're a phishing threat


Re: TL;DR but what is it with ****ing developers

If you're using an American site, then you're better with "011" as the international access code.


Next; tech; meltdown..? Mandatory; semicolons; in; JavaScript; mulled;


Re: What's old is new again

"I'm sure I've encountered a langauge which use double-semicolons as statement terminators but can't remember what it was"

shell script "case" statements use ";;" to end the case


case $a in

x) foo ; bar ;;

y) baz ;;

*) echo Ooops ;;


Judge rm -rf Grsecurity's defamation sue-ball against Bruce Perens



This all reminds me of the early-ish days of WRT54G router hacking. Early/mind 2000s. A company called Sveasoft produced some quite interesting firmware, but then went to a subscription only model; pay a subscription, get their firmware and (to be GPL compliant) get the sources. However if you then passed the source on (as is your right under the GPL) they would terminate your subscription, your support, and refuse to sell to you ever again.

All the discussions around GRSecurity are the same as the discussions around Sveasoft.

Some fun at https://slashdot.org/~TheIndividual/journal/ and http://wrt54g.oliver-arp.de/

Sveasoft are now dead in the water (there's a stub web page still taking subscriptions, but I don't think James Ewing actualy delivers anything any more - http://www.linksysinfo.org/index.php?threads/sveasoft-did-i-just-mess-up-here.33599/ - It's been 10 years quiet), while OpenWRT, DD-WRT et al are going gangbusters.

Sprint CEO straight out accuses Verizon counterpart of LYING


AT&T offer free HBO; T-mobile offer free Netflix; it's not surprising Verizon Wireless also offer these promotions just for "feature parity" (especially since Verizon FIOS regularly has free HBO bonuses; there's probably existing commercial agreements between Verizon and HBO).

It's interesting to note that Sprint's current TV adverts are "within 1% of Verizon in terms of reliability", which doesn't address the coverage issue; yes the service may be as reliable... in the areas where coverage is available, but Verizon have the better coverage. Of course, for 70% of the US population that extra coverage doesn't make a difference. (See https://www.komando.com/happening-now/388850/the-truth-about-these-cellphone-ads for a breakdown).

It's also interesting that Sprint position themselves as the cheapo option ("would you pay twice as much for 1% more"); given how many people pay for Apple's premium branding, I wonder if they've thought this through :-)

Me, I still have an area on my daily commute (New Jersey heading to New York) where there's no signal. Yay :-(

Judge yanks plug out of AT&T's latest attack on Google Fiber


Re: Google in Kansas City MO

In my town in NJ, Verizon FIOS is costing me $95/month for gigabit internet. speedtest results on my desktop give 805/515 as "real" speeds.

And that's with almost no competition (cablevision tops out at 400/40).

AT&T are just trying to protect their revenue by any means they can, 'cos they know they'll lose money if they have to compete.

Linus Torvalds may have damned systemd with faint praise


Re: Not surprising. At all.

"For security reasons, our new policy is as follows: No new deployments with systemd - no exceptions."

Put it in a Docker container and don't run an init system at all. Then your customers can chose what platform they run Docker on :-)

Create a user called '0day', get bonus root privs – thanks, Systemd!



FWIW, POSIX doesn't say that a leading digit is disallowed.



To be portable across systems conforming to POSIX.1-2008, the value is composed of characters from the portable filename character set. The <hyphen-minus> character should not be used as the first character of a portable user name.




3.282 Portable Filename Character Set

The set of characters from which portable filenames are constructed.


a b c d e f g h i j k l m n o p q r s t u v w x y z

0 1 2 3 4 5 6 7 8 9 . _ -


So we can see that "0day" is a perfectly valid username.

It may be a bad choice for a username because it can expose bugs but it's _valid_.

(Fun: "1234" is a valid username... just imagine the chaos that'd cause!)