Posts by ibmalone

Re: Misrepresentation

Agreed the string handling bugs are mostly a subset of other memory management issues, but they're particularly pernicious due to the traditional nul-terminated representation and string format specifiers (together with sscanf/sprintf and %n meaning even incautious printf can write to memory it shouldn't, not just access).

Re: What about the people in the software world?

An open source fund would make more sense!

Thinking of buying a new development laptop, 3% of a neat £1500 comes out at £45, am I any more likely to use this to do whatever it is they think I should be paying for than with a £30 Fire Stick / Chromecast / Roku? Do we have to pay it on our server and storage purchases?

Anyway, this problem is largely sewn up now, access through mobile devices and smart devices means most people are using streaming services for legal access (or semi-legal in the case of youtube videos). If producers aren't getting paid enough then that's the door to knock on. Or maybe do it out of general taxation, after all, I sometimes overhear buskers without paying them and no device was involved there.

Re: Forcing hardware upgrades in the midst of a global silicon glut, how to do PR the Micro$oft way.

Yes, one thing that struck me about the "rootkit" was it required admin to install and appeared to be intended to let gamers spoof location. That is, the real crime is trying to escape corporation control. (And of course it keylogged, because the kind of people who write this stuff are often dodgy.)

This may turn out to be a factor, when people realise their older hardware running linux can do things they are no longer allowed on newer hardware. The same way I still own a RPC-1 DVD drive.

Re: So, SatNad...

If you or I knew the answer to that then we wouldn’t be having this conversation because one of us would be genuinely clairvoyant and along with knowing what the PRC, Russians and NSA have compromised in our software supply chains we’d also know that this conversation was a waste of time with no positive outcome for anyone involved.

The thing is, we know commercial software has been compromised by intelligence agencies in the past, including holding on to vulnerabilities in Windows, so there's no particular use in asserting open source dependencies are compromised in particular (looking forward to bugs: "Regression, remote access exploit no longer works after commit abc123"). If they want to compromise open source they'll at least have to put some effort into maintaining it. MS have been less dislikeable recently, but as with Apple their goal is user lock-in, telemetry and requiring online accounts are moves towards that goal, the best we can hope for is they see utility and interoperability as a better way to achieve customer loyalty.

Re: "Every compatible mobile phone or tablet in range of a mast ..."

Many phones for older people are 2G, my grandfather had one of these: Doro 1360

Though I guess not alerting them to danger is entirely consistent with gov.uk's modus operandi.

Re: Wouldn´t be surprised

Probably mentioned this before, but slightly related. Built a home designed guitar amp intended to run off a 20V DC supply (i.e. laptop power supply to avoid messing with mains), push-pull design (to drag out the most power possible think I was aiming for 20-30W), this normally needs AC, instead used a quartet of beefy audio transistors, and a little 2N5550 transistor balancing ground between the two halves.

Simulation says this transistor takes almost no current, just there to set the bias right. I say little, but they're supposed to be 0.6W. Worked with a test load (not going to blow up a real speaker). However, something about the design was not quite stable, so on the first real test it worked for a couple of seconds, then output stopped, there was a brief pause and then a very loud bang. Half the transistor casing had blasted off as it went from 0.5V to 20V and lost its short but valiant struggle. Changed a couple of resistors and tentatively tried a new transistor... the second one survived. It's been rewarded by sitting around for several years waiting for a cabinet.

Re: Easier to run a VM

If you're only using it for one application then fine, but switching between programmes and maintaining a second login are all a bit of a pain. I use Windows in a VM fairly regularly and would prefer to run applications as if they were native (however because other people need windows too, and it's not just for one or two applications that can be made to work with WINE the VM is the better option in this case).

Re: My television wants me dead, or just gibbering in a 'special' ward.

Before ~2000-2005: Turn on TV, brief pause while the flyback gathers its strength and then the crisp Pfff and gentle crackle of a single electrical raindrop landing as the CRT kicks into life and any fluff within 10 metres gently adheres to the screen. If you're fancy then from the late 90s onwards replace this with plasma screen contemplating whether or not it's going to start this time.

~ 2007- 2012: Turn on TV, wait while digital signal is acquired. Find multiplexes need rescanned.

~ 2012 to present. Turn on TV, wait while it boots its OS, connects to the internet and uploads your recent viewing history to Google. Discover iplayer no longer supported by this device.

Short period, ~ 2005 - 2007. Press power button, LCD comes to life, TV is being watched.

I recently bought a glass cover for an oven lamp from Amazon. They now email me with suggestions for similar glass covers. And, just in case I should accidentally render them relevant by breaking the replacement, the covers are for different models of oven.

Though I do wonder if the "obviously stupid" suggestions are a cover for more subtle stuff.

Nah.

"The passwords / API keys were not supposed to be public; by keeping a copy you are creating the possibility of holding them to ransom for their private data in future, to which they reacted quite understandably."

Not true, as it assumes the researcher is the only person who accessed this publicly accessible data. The assumption should be an unknown number of people with much shadier intentions also grabbed it and kept it without being courteous enough to notify the organisation of their actions. The minimum response should be to change the keys against that eventuality (which apparently was done), at which point that information cannot be used for ransom any more.

Re: Rust - the language for coders who can't.

Can you imagine what will happen when programmers don't have to spend mental bandwidth on navigating bear traps?

Re: Hopefully..

I can't say for sure it would have worked, but the default for that (not actually linux) grub screen is usually to boot the default (normally first) option after a certain time (default 5 seconds). So to get here that has either been disabled or a key has been pressed to interrupt it. It's the equivalent of starting windows boot manager and then leaving it there.

Re: A punitive sanction against the Uni for approving it

Point 3 leads back to point 1, it's not security theatre in that sense, it is blocking explicitly the organisation whose processes are flawed.

I do have some sympathy for the IRB, they are generally there for looking at human research (animal research too in the places that do it), which is very important. It may simply not have occurred to them this was something that needed oversight (which brings us back to point 1, because the institution as a whole must realise there is a need for ethics beyond the medical faculty).

Re: Prime Example

I can sort of understand the model, since the ongoing classes are a service, but they cost more than what my gym membership costs, which gets me access to equipment and some free classes. There is quite a big range in treadmill quality, smallish home ones don't really compare to the heavy duty ones many gyms use, not sure where the tread+ sits in that range. (Though I do remember the council gym back home where the max speed was 16km/h and it would overheat and have to cool down if you went above about 12km/h for a few minutes.)

Re: Wrong way entirely

We've got one of these in the office (I believe it's still there. The tap that is, not the office. Well, maybe the office.), not sure what brand, but it's insufficiently hot for tea. Okay for instant coffee if you're desperate. However, there are a few scattered around my employer of different makes and they all have a safety feature to stop you dispensing hot water by mistake, generally you need to depress or activate two buttons at once. More interested in the lack of a sink for the tap, any drips or accidentally dispensed cold water are going all over the desk.

Re: I'd challenge the Director Cost

Still doesn't feel right, the employees are being billed for higher-up's time required to check over their work and make interventions they feel necessary? That sounds less like a company and more like a pyramid scheme.

"It is strange that if you mention zero initializing memory in a C or C++ project, everyone says that is inefficient and would laugh."

Not quite the same thing as this:

"Additionally, Rust requires all variables be initialised before use"

Initialising memory does have an overhead, though whether that matters depends what else you're doing. In C you have a choice between malloc and calloc when allocating memory, which is a clear distinction, in Rust you are generally going to be dealing with objects such as vectors, and can do things like with_capacity https://doc.rust-lang.org/std/vec/struct.Vec.html#method.with_capacity to allocate without initialisation. Rust will generally prevent you getting hold of uninitialised memory directly, but you can do it if you really want.

Initialising variables though, in C:

int a;

Is absolutely fine, but try to use a before assigning to it and you're into undefined behaviour territory (unless it's global scope, in which case a is initialised to 0). Rust insists on

let a = 0;

Or whatever value. To avoid duck typing and be able to change "a" later too, you're going to need:

let mut a: i32 = 0;

I'm not 100% convinced about initialisation as preventing bugs; generally the real bug is "forgot to assign something relevant to this declared variable later", which this doesn't really solve. It may mitigate bugs, by making them more reproducible and preventing information from the application's memory leaking out though. (And possibly mask a subtler class of bug where you're unknowingly relying on the initialised value rather than the value you meant to assign later, but that's one for testing.)

Re: People are still using RoR?

It's not that PHP doesn't try to hold your hand, it's that it tries to turn your hand into some kind of squid creature, and before you know it it's wrapping its tentacles around your neck, and oh God, they're in my mouth, it's going down my throat, help I can't breathe...

Re: seriously? after the CentOS debacle?

He's seemed relatively decent from the distance I've observed him in the past (used to hang around the Fedora mailing lists more than I do now), but I'm sure he's got lines he has to take here.

Re: Which would you rather do?

"login to your institution's library and follow what may be lengthy procedure to get it?"

Generally, if you have an institutional subscription, this is now a very streamlined process. The publisher usually has a 'access via my institution' button and you authenticate through shibboleth or openathens, no need to go through your library site in most cases. (The more annoying ones are those that instead check institutional IP, so with things as they are have to be accessed via VPN.)