* Posts by whitepines

821 publicly visible posts • joined 29 Aug 2017

Page:

Bad eIDAS: Europe ready to intercept, spy on your encrypted HTTPS connections

whitepines
Black Helicopters

Re: If this does become reality, there's a simple solution...

> It's my computer and I alone will decide what software it runs and whether I will accept any technical limitations imposed by those who would seek to compromise my privacy and safety.

Intel and AMD would like a word with you, as would Samsung and some others. It hasn't been your computer for a long time, see IME / ASP/ Trustzone.

Scripted shortcut caused double-click disaster of sysadmin's own making

whitepines
Facepalm

Re: Is there anyone

Good old Data Destroyer. Learnt to always do a dmesg and a gdisk -l before blithely assuming the target node was whatever I thought it should be.

Firmware is on shaky ground – let's see what it's made of

whitepines
Black Helicopters

This already exists, see for example the Raptor Power9 products or some of the Orange Pi boards.

People do in fact pay a premium for the extra flexibility, the business model apparently works, therefore I must conclude that the locks on consumer products are to force HaaS and overall cloudification with personal data theft and sale as a side benefit. You're more valuable to them as a source of data for sale than as a customer.

I also point a large accusatory finger at Hollywood and their streaming services. They love the DRM aspects of the locked firmware, and have been fairly successful in getting people to sign up to multiple services at extortionist monthly rates. Frog in the pot and all that, if you're renting the device in your rented flat why not rent the content too? It's only money after all.

CT scanning tech could put an end to 100ml liquid limit on flights by 2024

whitepines
Facepalm

Re: And the effect has been ...

> All these regulations and checks have resulted in nobody causing an explosion on a plane since they were imposed so you can say that they suck, but you can relax on a flight.

Seeing as the regulations were so onerous that I, and a number of other colleagues, all stopped travelling by airliner entirely as a direct result of the invasive searches and some bad experiences (think windowless room for misidentified baggage -- how is that not a human rights violation?), I do question the cost / benefit involved.

By the same thinking we might as well imprison the entire population and congratulate ourselves on the eradication of crime.

How experimental was Microsoft's 'experimental banner' in File Explorer?

whitepines
Black Helicopters

Pluton enforced?

And so the real purpose of Pluton is revealed...

When you have ads in the OS, switching OSes becomes a major problem. An OS that won't show ads becomes unauthorized software.

Move just a little further from ownership of the hardware to leasing the firmware of the hardware, and suddenly the ads can't be removed.

Microsoft always runs the EEE playbook, and it's never obvious until it's far too late to change anything.

Intel's 12th-gen Alder Lake processors will not include Microsoft's Pluton security

whitepines
Alert

Re: What (exactly) is in the next CPU chip that I get in my next computer?

Good points, and unfortunately getting away from these embedded menaces now requires leaving x86 entirely (thanks AMD for selling out!).

Currently typing from a Talos II, which I really like but is rather costly to buy. Would otherwise be typing from an Asus C201. Rather tired of US corporations stealing everyone's data, and now trying to dictate how people can or cannot even use their own computers.

What I am most concerned about is the lack of outcry on this new power grab. Back in the day Pluton and its ilk would have caused mass boycotts, has the frog been thoroughly boiled now and people don't care?

Concern over growing reach of proprietary firmware BLOBs

whitepines
Devil

Re: Well, like it or not

All that really needs to happen is that the manufacturer is made liable for all of the costs of a data breach, if their firmware allowed it to happen and wasn't replaceable by the machine's current owner.

I'd wager there would be a lot more testing and a lot less firmware overall if bugs and backdoors became the manufacturer's financial problem instead of the machine owner's financial problem.

I also find that closed source empowers the black hats and stymies the white hats, for the simple reason that the black hat just has to find one way to crack the binary to engage in nefarious activities, whereas the white hat ostensibly has to locate all possible cracks and patch them. Having source code massively helps the latter and does not significantly help the former.

whitepines
Thumb Up

Re: Purism isn't quite what it says on the tin

Happy to oblige, for what it's worth.

Some relevant background, I've been a staunch Linux user for well over two decades, and already moved my PC games to a separate system some years back as I refused to trust Steam with my personal information. I was also using an old AMD true open firmware PC (KCMA-D8) before moving over to the Talos II, back when coreboot meant open source not a build system around Management Engine and FSP binaries.

The best way I can describe it is that it feels just like a normal PC, other than it takes a really long time to boot up. The only significant issue I have observed is that Firefox is extremely slow, basically unusable, but good progress is being made on fixing that [1]. A Chromium port is available and is very usable even on Javascript heavy websites, I use the Ungoogled version of that for daily work and am happy with it (typing this comment using it, in point of fact) [2].

On balance it's a lot faster than the old AMD kit, and knowing I cannot be (easily) subverted at a firmware level is well worth the cost. Even using Tor makes sense on a platform like this, with full control of the system it's possible to control and manipulate the data spillage to various totalitarian regimes, and I've had fun with that in the past. Various packages install from the package manager like you would expect, no complaints on that end.

[1] https://www.talospace.com/2022/02/brief-status-update-on-power9.html

[2] https://twitter.com/RaptorCompSys/status/1487858941396766721?s=20

whitepines
Black Helicopters

Purism isn't quite what it says on the tin

It's not widely known or advertised as such, but the Purism kit still requires the Intel Management Engine to boot up. Definitely not a good first choice for high security applications.

Typing from my Talos II workstation, nice and private but quite the stationary lump otherwise. The old Chromebook I used for mobile computing just isn't adequate these days, with software bloat everywhere. No really good options that combine portability, performance, and privacy, sounds like the old adage to "pick two" is the best one can do?

Oh, Comcast. An Xfinity customer and working from home? Maybe not this morning

whitepines

Re: Looks like something broader... or people are using Comcast pipes

Comcast provides some physical plant for other providers, so if they go down hard the little bit of Comcast in the chain breaks the connection for the other provider too.

Cisco requires COVID-19 shots for all US staff – even remote workers

whitepines

Re: No Joke

This is not a black and white issue. I assume most here would consider the New England Journal of Medicine an authoritative source for medical information, and here is what they have to say regarding the COVID vaccines and the VICP:

"Only people who can afford to wait for Covid-19 vaccination until the emergency declaration has ended and the CDC acts will be able to file injury claims under the VICP".

"As compared with people who must work in person, people who can work remotely are disproportionately well educated, high earning, and White."

"We believe that any FDA-approved Covid-19 vaccine (including vaccines approved under emergency use authorizations) should fall under the VICP immediately"

So as usual it's minorities and such really thrown under the bus, while the rich escape with no risk. Brilliant thinking. And there are purportedly civilized countries that don't even have a compensation program to list the vaccines in, though to be fair those countries tend to have proper socialized medicine so less of a concern.

https://www.nejm.org/doi/full/10.1056/NEJMp2034438

whitepines

Re: No Joke

To the downvoters...

I have a wonderful new treatment for the flu! It's three times as effective as current flu shots, and since old people keep dying of the flu we're going to make it mandatory and deny compensation for any adverse effects! If you end up babbling on the floor, you and your loved ones' problem, not ours...

Oh and look, another one for the common cold! Mandate it to save babies! Again, if you happen to be the lucky few that has a bad reaction and can't work anymore, just hope you have a rich family to take care of you, right? Not our problem!

Please do explain the rationality of mandating a treatment and not providing for the (rare) cases when it goes wrong? It's always easy to say some sacrifice is needed for the common good, but it does hit somewhat differently when it's someone close to you having made a sacrifice who is now a permanent burden on relations. How "civilized" is that, really?

whitepines
Facepalm

Re: No Joke

Great! Let's start by having the US government take some responsibility for adverse effects. Put the vaccine in the Vaccine Injury Compensation System and allow people who suffer adverse effects to be properly compensated. Right now people are being forced to play Russian Roulette with the vaccines, especially those who already had the virus, as it's really quite unknown how their immune system will react to the mass-injection of a new "variant". I wouldn't be surprised if this is why there is such variability in reported adverse effects, including blood clots leading to stroke and similar. *

If the rate of adverse effect is as low as claimed, why is there objection to allowing compensation for those purported extreme few that have had their lives upended or destroyed by the vaccines? Something isn't passing the smell test here.

* https://www.ibtimes.com/student-gets-leg-amputated-after-covid-19-vaccine-dies-brain-blood-clots-3325327

NPM packages disguised as Roblox API code caught carrying ransomware

whitepines
Coat

Indeed. I remember a time when you had to convince the developers that your code was good enough for their project.

Uphill. Both ways. In the snow, lugging a 300 baud portable terminal.

I'll get me coat...

Tesla slams into reverse, pulls latest beta of Full Self-Driving software from participating car owners

whitepines
Devil

Emissions aside, there are plenty of cars that you actually own, and even with emissions if you follow the law you can in fact repair or upgrade those components as well.

There is a special place in hell for a car that is always online, always talking to the mothership, always recording, requires an EULA to even purchase, and threatens its "owner" if it detects unsanctioned hardware (the Ethernet port flap some time back).

whitepines
Devil

from participating car owners lessees

FTFY. It's still Musk's car, he has brilliantly tricked his lessees into taking care of his property and bearing his maintenance costs, while not actually transferring full ownership of that same car in exchange.

Reg scribe spends week being watched by government Bluetooth wristband, emerges to more surveillance

whitepines
Big Brother

But weren't you in a type of jail to begin with? Arguably a posh, nice jail, but a jail nevertheless, complete with loss of freedoms (movement, privacy) and government surveillance systems linked to armed guards (police) to keep you there.

If your apps or gadgets break down on Sunday, this may be why: Gpsd bug to roll back clocks to 2002

whitepines
Trollface

Re: Here's what happens next...

You forgot the part where Google stops accepting outside contributions to the source, and makes it a byzantine service that only runs on specific hardware using obscure Google-specific network packages. All the while adding privacy-invading antifeatures to the official builds that force you to try to recompile it yourself, but while you're busy fighting the Google build system they're busy making those antifeatures part of the NTP standard.

In parallel, Google starts flogging Time-As-A-Service, only to abandon it several years later.

Cynical? Moi?

It's time to delete that hunter2 password from your Microsoft account, says IT giant

whitepines
Big Brother

Anyone else notice the nice subtle change (at least in some jurisdictions outside Blighty) from a legally protected login key (password) to one that can be legally coerced or stolen (face ID, thumbprint, etc.)?

Not that it matters much in the face of Microsoft's ability and willingness to sift through its users' data for any purpose in the first place!

IBM's first 7nm Power10 chip arrives in E1080 server system with a wealth of shiny features

whitepines

Re: Not a true comparison

Not sure about that, the "features" linked are fairly fundamental (RAM? PCI Express?).

The OpenPower parts are almost always rebinned / cut down versions of the base processor variant. I see no reason this won't remain an issue on the OpenPower chips.

Who would cross the Bridge of Death? Answer me these questions three! Oh and you'll need two-factor authentication

whitepines
Big Brother

Re: If you don't use Chrome

I've always suspected the ease of captcha completion is directly proportional to how well Google is tracking you. Easy captcha means Google at least thinks it knows exactly who you are, where you are, what you are likely to want to buy next, and can easily serve you ads. Hard captcha means Google doesn't know who you are and has to resort to generic, less profitable, non-personalized ads.

As much as I don't like endless pictures of trucks and crosswalks, I think I like Google knowing exactly who I am and where I am at any given time much less. Gives a lot of time to think about whether the web site on the other end of the endless captchas is actually worth visiting, too.

Blessed are the cryptographers, labelling them criminal enablers is just foolish

whitepines
Thumb Up

Democracy!

Privacy creates agency. When you can communicate privately, your potential actions grow.

Brilliant. This is the most concise form of the basic privacy argument that I have seen.

LibreBMC project to open source baseboard management controllers with security as a priority

whitepines

Competition is good?

Seems there are now two competing FPGA BMC projects -- the original project is Kestrel:

https://gitlab.raptorengineering.com/kestrel-collaboration/kestrel-litex/litex-boards/-/blob/master/README.md

From what I can see Kestrel is already functional, and LibreBMC is still in the early planning phase. Will be interesting to see what happens from here, and which project gains traction.

Microsoft calls time on Timeline: Don't worry, more features that nobody asked for coming your way

whitepines
Facepalm

Re: "We can't wait to hear what you think!"

the ability to restart applications automatically following reboot and sign in

My Linux boxes have all done that, locally, for the past 15 years or more. It's something I don't even think about any more, I just expect it to happen on login and very much like it.

Did Micros~1 somehow manage to require a cloudy service backend for this basic feature?

FBI deletes web shells from hundreds of compromised Microsoft Exchange servers before alerting admins

whitepines
Happy

Re: Now you know you can blame the FBI if similar things go TITSUP in the future? *

[0] When was the last time you checked the status of yours?

My Blackbird desktop doesn't have a Management Engine. It also doesn't run Windows or commercial games [1].

Such a nice feeling though, not having a known backdoor.

[1] I have another computer for the few games worth playing these days. As far as its Management Engine is concerned, "gamer1" only visits Steam forums and the like.

Who'd have thought the US senator who fist pumped Jan 6 insurrectionists would propose totally unworkable anti-Big Tech law?

whitepines
Boffin

Re: Yeah, but....

If you believe in a sovereign nation, it is not unreasonable to assign a corporate valuation ceiling based upon the valuation of the encapsulating nation.

That's not half bad, cap at 49% of GDP much as Bitcoin assumes no one entity can control 50% or more of all mining resources.

Perhaps blockchain can manage some good in the end, if only in conceptual form?

For blinkenlights sake.... RTFM! Yes. Read The Front of the Machine

whitepines
Trollface

Re: Broke my little toe...

Usually whoever is the "banker" in my experience.

And this is different from real life in what manner?

IBM creates a COBOL compiler – for Linux on x86

whitepines
Boffin

Re: COBOL

I was curious about that so I went to look at the Power ISA. There's an entire chapter dedicated to decimal floating point:

https://wiki.raptorcs.com/w/images/c/cb/PowerISA_public.v3.0B.pdf

Not sure any Linux compiler uses it though, or even what performance benefit would exist for real world applications.

Over a decade on, and millions in legal fees, Supreme Court rules for Google over Oracle in Java API legal war

whitepines
Devil

Re: Minions Finally Lose

Perhaps there was concern IBM or some other entity could wind up denying Oracle a license for SQL, should this have gone into the mirror universe?

Time for an upgrade: Dev of the last modern browser for PowerPC Macs calls it a day

whitepines
Boffin

Re: There's always Linux...

Void is targeted more at modern Power boxes, like the Raptor stuff. I know for a fact the Debian ppc64el variant works fine with 3D acceleration and various browsers, since I use a Blackbird as a daily driver with Debian on it.

How much of the old 32-bit (or 64-bit big endian) old Mac ports will keep working, and for how long, is an open question at this point. Roughly speaking it's like trying to keep support for early Pentium 4 systems, but with more problems due to the backwards* endianness on the old Power devices.

* Yes, yes, I know big endian is the "proper" way of doing things from a human perspective. Intel won out with little endian, and we're now at the point where even new GPUs assume the hardware they're attached to is little endian.

IBM, Red Hat face copyright, antitrust lawsuit from SCO Group successor Xinuos

whitepines
Facepalm

What are the chances this was revived just before the upcoming Oracle vs. Google ruling, in case APIs are in fact considered copyrightable in the Land of the Unfree?

Cheap shot, but short of copyright reform (20 years like patents would be reasonable) it would be highly effective in killing Linux inside the United States. Wonder if there are any connections to Microsoft in this case, as in pay for Windows and accept Microsoft spying T&C if you want to use Linux?

What could be worse than killing a golden goose? Killing someone else's golden goose

whitepines
Coat

Re: At DryBones, re: rubber cheques...

$0 & 1Cent

Missed an opportunity there to give Reality your two cents!

US govt indicted me because I make privacy tools, says crypto-chat app CEO accused of helping drug smugglers

whitepines
WTF?

Re: So tomorrow Signal, Telegram?

So how does one in fact determine that the potential buyer is not a drug dealer before the sale is made? Is there a clearing house of some sort to verify?

Or, perhaps, does the concept of mens rea come in to play where even if the fact comes out later on that you inadvertently sold something to a criminal, you are not guilty of any crime since you did not knowingly do so?

I sincerely hope we have not reached the point where everyone must be surveilled everywhere since everyone is assumed to be a criminal, and therefore any privacy-enhancing technology is unsafe to sell.

Hacktivists breach Verkada and view 150,000 CCTV cams in hospitals, prisons, a Tesla factory, even Cloudflare HQ

whitepines
Facepalm

It's all in the name

Closed Circuit TV. Not IoT TV. Why was this video even technically accessible outside the organizations that installed this supposed "CCTV" system?

It's one thing to stream / offload locally encrypted dumps in case something burns down or disappears. It's another thing entirely, and arguably far from CCTV, to have outside contractors / employees able to view your creepy IoT camera network!

Genuinely curious: Does this trigger any GDPR consequences around use of biometric data against the idotic afflicted organizations?

Customer comment and contributions no more as Microsoft pulls the plug on Office 365 UserVoice forum

whitepines
Coat

Define "best"

we need to shift our areas of innovation and development to provide our customers the best possible experiences.

[Goes to load the latest interminable meeting or task list]

"[sad cloud icon] The Microsoft Cloud is having a whoopsie. Try again later."

Do that for a half an hour and (pre-virus) we could all go home / to the pub instead of the office, at which point Microsoft would have indeed provided "the best possible experience".

Wait, wasn't that ambiguity the plot of a certain Asimov series? Seems appropriate with the mention of the "AI-powered assistant".

whitepines
Alert

Re: Reality check

I suspect that the main reason why Linux is poorly treated is because it is thought by many companies that with Linux being Open Software, it becomes possible to hijack secure channels at the kernel level. This was certainly the argument back in the DRM-encumbered media days a decade or more ago.

And yet, somehow, it's Windows that's running a bunch of black box lowest-bidder Chinese or Indian code at kernel level. Go figure.

And don't tell anyone at Microsoft about what a hypervisor could do with those secure channels while running underneath Windows. Wouldn't want them to cotton on to the house of cards they've built.

GPS jamming around Cyprus gives our air traffic controllers a headache, says Eurocontrol

whitepines
Boffin

Any INS will drift over time, and is not something you want to rely on for an approach threading between mountains. With modern approaches requiring ever-increasing precision (RNP) and fewer (less precise) ground stations available than before, it's entirely possible that some regions now simply cannot safely accept air traffic in the case of a widespread GNSS outage. The net effect should just be redirected flights and angry passengers (not CFIT incidents), but that also depends on the quality of the spoofing equipment if more than simple jammers are in use.

whitepines
Coat

Re: And if you get jammed, it causes the map to shift

I was just about to post this. RAIM failures, which remove the GPS as a primary navigation source instead of just allowing garbage / incorrect position data to be shown / used, should be pretty hard to defeat. Doubly so if the altimeter is factored in to the RAIM checks.

I wonder if a badly flown VOR approach after a GPS outage was more to blame for the terrain warnings than straight out GPS spoofing. Yes, I'm being snarky and will grab my coat!

The wastepaper basket is on the other side of the office – that must be why they put all these slots in the computer

whitepines
Boffin

Re: Fire

That's generally what it is even today -- defective capacitors. They are placed across power rails that are able to source enough current to ignite the remnants of damaged MLCC capacitors. Once they go up, a nice film of resistive (as in partly conductive) carbon tends to coat the area, so on next power attempt the flame gets even bigger as the carbon ignites.

Texas blacks out, freezes, and even stops sending juice to semiconductor plants. During a global silicon shortage

whitepines
Joke

Re: 2 Hours South of Austin

It's almost like living in a third world country here at times.

When you reach the point where you don't bother to bag it any more and just leave it near the dumpster, Texas will have officially become a third world country.

Supermicro spy chips, the sequel: It really, really happened, and with bad BIOS and more, insists Bloomberg

whitepines

Re: Collusion

is visible by its certificate during the TLS handshake.

On TLS 1.2 and earlier, yes, assuming SNI isn't used. TLS 1.3 fixes this.

To be very clear I'm not saying the Bloomberg allegations are correct. I'm simply pointing out the fact that it not easy to detect this type of malware, and especially so if there is any kind of targeting of the supply chain attack (to weaker security environments) or intelligence in the payload (i.e. don't activate unless other SSL traffic spotted on the network).

whitepines
Devil

Re: Collusion

Compromised hardware will beat any software working above layer 1. The difficult bit is managing to get the compromised hardware installed at every step in the path where packets may be inspected.

With HTTPS for Microsoft services being strongly encouraged in Windows environments, and outside of special SSL MITM setups that may violate various laws (e.g. EU privacy laws I think prevent this), there is already a tremendous amount of uninspected traffic passed through an average corporate firewall. A few packets for the backdoor here and there in that sea of opaque traffic will quite frankly go unnoticed. Even in a MITMed environment, a smart backdoor would see that MITMing during the SSL handshake and immediately deactivate itself, making detection even less likely.

whitepines
Alert

Re: Not a backdoor

You can disable Intel ME entirely and disable the ME coprocessor if it suits your security model, just as you can use server hardware without IPMI features.

NO. No you can't. That's the whole problem. AMD has their PSP, Intel has their ME, ARM makers usually go one step further and lock the entire boot process on chips like Snapdragon, leaving a couple of alternatives like Power and RISC-V, and not much else.

What I find most interesting is the claim that Intel's network was invaded. That could range from anything to accessing a few employee workstations to stealing the keys to the kingdom (the ME signing keys), at which point a grain of rice type flash device could absolutely hijack the Intel ME, much like the Solarwinds mess.

If the (theoretical) attackers then used standard HTTPS traffic with a hard-coded range of IPs, the malware could probably communicate through most firewalls, especially in a Windows environment where activation requires this kind of communication to be allowed in the first place. The ME is more than powerful enough to support this kind of advanced malware...

Wine pops cork on version 6.0 of the Windows compatibility layer for *nix systems

whitepines

Re: Much as I like and use Linux

Yes. And since Windows is banished to certain firewalled network segments with no general Internet access, mainly to contain Microsoft's creepy spyware, that clause is a major problem!

whitepines
Alert

Re: Much as I like and use Linux

LIcensing,

This. Relevant to today with remote working, read the Win 10 "Professional" EULA carefully. One user per box if you're using RDP, or pay up for server. And the audits that come with it. And that's not one user at a time, no, it's one specific user only. If anyone else logs on, at any time, it's an automatic license violation. Which is great when the specialty application in question is network licensed, a royal PITA to install, and effectively designed for that instance to be shared among team members as required.

Given this, as a Linux shop Wine was a no-brainer for that one required application. Even though a couple bugs needed fixing before it was working properly, still came out far ahead on cost. No other Windows software, it's proven cheaper to write replacements or just avoid Windows-specific technology in most cases.

Must 'completely free' mean 'hard to install'? Newbie gripe sparks some soul-searching among Debian community

whitepines
Facepalm

Identity crisis?

The reason I use Debian, on purpose, is exactly the fact they don't ship proprietary software cleverly hidden away. If they start doing that, I'll have to start looking at other distros.

If.you want proprietary stuff you don't control, can't fix, and want to put up with all the privacy and security issues of using someone else's unaudited closed source software, there are lots of other options. Ubuntu and Mint leap to mind.

Police drone plunged 70ft into pond after operator mashed pop-up that was actually the emergency cut-out button

whitepines

Re: How to scare people, lesson one:

Does an unpowered drone fall with the passively rotating blades giving some compensating lift like an autogiro?

Considering a quadcopter has zero static stability, relying only on the flight computer and powered blades to stay upright, the most likely outcome is a tumbling drone falling much like a plastic brick of similar size and weight.

Beagleboard peeps tease dual-core 64-bit RISC-V computer with GPU, AI acceleration, more for $119

whitepines
Thumb Up

Re: Still waiting for an OpenRISC version

I never understood the RISC-V hype train either. A bunch of embedded, incompatible CPUs that seem more applicable to hardware like nVidia's Falcon units or embedded disk controllers? I had OpenRISC on an FPGA many years ago, fond memories but cheap ARM chips displaced the need over time.

Now a board with an OpenPOWER CPU on it... that might be interesting.

That would be awesome. I'd buy several, if they managed to be as open as the IBM offerings.

whitepines

Re: RPi4 vs Beagle V

I wonder why the contact info was nowhere to be found on the funding site. Regardless, might drop a line and see what the plans are.

The RPi is a very closed system, which is why this one would need to be open to make dealing with it worthwhile both in hardware cost and software support. I have no interest in rip and replace, one closed system replacing another closed system, but opening things up would potentially be worthwhile.

Page: