* Posts by whitepines

807 posts • joined 29 Aug 2017

Page:

It's time to delete that hunter2 password from your Microsoft account, says IT giant

whitepines
Big Brother

Anyone else notice the nice subtle change (at least in some jurisdictions outside Blighty) from a legally protected login key (password) to one that can be legally coerced or stolen (face ID, thumbprint, etc.)?

Not that it matters much in the face of Microsoft's ability and willingness to sift through its users' data for any purpose in the first place!

IBM's first 7nm Power10 chip arrives in E1080 server system with a wealth of shiny features

whitepines

Re: Not a true comparison

Not sure about that, the "features" linked are fairly fundamental (RAM? PCI Express?).

The OpenPower parts are almost always rebinned / cut down versions of the base processor variant. I see no reason this won't remain an issue on the OpenPower chips.

Who would cross the Bridge of Death? Answer me these questions three! Oh and you'll need two-factor authentication

whitepines
Big Brother

Re: If you don't use Chrome

I've always suspected the ease of captcha completion is directly proportional to how well Google is tracking you. Easy captcha means Google at least thinks it knows exactly who you are, where you are, what you are likely to want to buy next, and can easily serve you ads. Hard captcha means Google doesn't know who you are and has to resort to generic, less profitable, non-personalized ads.

As much as I don't like endless pictures of trucks and crosswalks, I think I like Google knowing exactly who I am and where I am at any given time much less. Gives a lot of time to think about whether the web site on the other end of the endless captchas is actually worth visiting, too.

Blessed are the cryptographers, labelling them criminal enablers is just foolish

whitepines
Thumb Up

Democracy!

Privacy creates agency. When you can communicate privately, your potential actions grow.

Brilliant. This is the most concise form of the basic privacy argument that I have seen.

LibreBMC project to open source baseboard management controllers with security as a priority

whitepines

Competition is good?

Seems there are now two competing FPGA BMC projects -- the original project is Kestrel:

https://gitlab.raptorengineering.com/kestrel-collaboration/kestrel-litex/litex-boards/-/blob/master/README.md

From what I can see Kestrel is already functional, and LibreBMC is still in the early planning phase. Will be interesting to see what happens from here, and which project gains traction.

Microsoft calls time on Timeline: Don't worry, more features that nobody asked for coming your way

whitepines
Facepalm

Re: "We can't wait to hear what you think!"

the ability to restart applications automatically following reboot and sign in

My Linux boxes have all done that, locally, for the past 15 years or more. It's something I don't even think about any more, I just expect it to happen on login and very much like it.

Did Micros~1 somehow manage to require a cloudy service backend for this basic feature?

FBI deletes web shells from hundreds of compromised Microsoft Exchange servers before alerting admins

whitepines
Happy

Re: Now you know you can blame the FBI if similar things go TITSUP in the future? *

[0] When was the last time you checked the status of yours?

My Blackbird desktop doesn't have a Management Engine. It also doesn't run Windows or commercial games [1].

Such a nice feeling though, not having a known backdoor.

[1] I have another computer for the few games worth playing these days. As far as its Management Engine is concerned, "gamer1" only visits Steam forums and the like.

Who'd have thought the US senator who fist pumped Jan 6 insurrectionists would propose totally unworkable anti-Big Tech law?

whitepines
Boffin

Re: Yeah, but....

If you believe in a sovereign nation, it is not unreasonable to assign a corporate valuation ceiling based upon the valuation of the encapsulating nation.

That's not half bad, cap at 49% of GDP much as Bitcoin assumes no one entity can control 50% or more of all mining resources.

Perhaps blockchain can manage some good in the end, if only in conceptual form?

For blinkenlights sake.... RTFM! Yes. Read The Front of the Machine

whitepines
Trollface

Re: Broke my little toe...

Usually whoever is the "banker" in my experience.

And this is different from real life in what manner?

IBM creates a COBOL compiler – for Linux on x86

whitepines
Boffin

Re: COBOL

I was curious about that so I went to look at the Power ISA. There's an entire chapter dedicated to decimal floating point:

https://wiki.raptorcs.com/w/images/c/cb/PowerISA_public.v3.0B.pdf

Not sure any Linux compiler uses it though, or even what performance benefit would exist for real world applications.

Over a decade on, and millions in legal fees, Supreme Court rules for Google over Oracle in Java API legal war

whitepines
Devil

Re: Minions Finally Lose

Perhaps there was concern IBM or some other entity could wind up denying Oracle a license for SQL, should this have gone into the mirror universe?

Time for an upgrade: Dev of the last modern browser for PowerPC Macs calls it a day

whitepines
Boffin

Re: There's always Linux...

Void is targeted more at modern Power boxes, like the Raptor stuff. I know for a fact the Debian ppc64el variant works fine with 3D acceleration and various browsers, since I use a Blackbird as a daily driver with Debian on it.

How much of the old 32-bit (or 64-bit big endian) old Mac ports will keep working, and for how long, is an open question at this point. Roughly speaking it's like trying to keep support for early Pentium 4 systems, but with more problems due to the backwards* endianness on the old Power devices.

* Yes, yes, I know big endian is the "proper" way of doing things from a human perspective. Intel won out with little endian, and we're now at the point where even new GPUs assume the hardware they're attached to is little endian.

IBM, Red Hat face copyright, antitrust lawsuit from SCO Group successor Xinuos

whitepines
Facepalm

What are the chances this was revived just before the upcoming Oracle vs. Google ruling, in case APIs are in fact considered copyrightable in the Land of the Unfree?

Cheap shot, but short of copyright reform (20 years like patents would be reasonable) it would be highly effective in killing Linux inside the United States. Wonder if there are any connections to Microsoft in this case, as in pay for Windows and accept Microsoft spying T&C if you want to use Linux?

What could be worse than killing a golden goose? Killing someone else's golden goose

whitepines
Coat

Re: At DryBones, re: rubber cheques...

$0 & 1Cent

Missed an opportunity there to give Reality your two cents!

US govt indicted me because I make privacy tools, says crypto-chat app CEO accused of helping drug smugglers

whitepines
WTF?

Re: So tomorrow Signal, Telegram?

So how does one in fact determine that the potential buyer is not a drug dealer before the sale is made? Is there a clearing house of some sort to verify?

Or, perhaps, does the concept of mens rea come in to play where even if the fact comes out later on that you inadvertently sold something to a criminal, you are not guilty of any crime since you did not knowingly do so?

I sincerely hope we have not reached the point where everyone must be surveilled everywhere since everyone is assumed to be a criminal, and therefore any privacy-enhancing technology is unsafe to sell.

Hacktivists breach Verkada and view 150,000 CCTV cams in hospitals, prisons, a Tesla factory, even Cloudflare HQ

whitepines
Facepalm

It's all in the name

Closed Circuit TV. Not IoT TV. Why was this video even technically accessible outside the organizations that installed this supposed "CCTV" system?

It's one thing to stream / offload locally encrypted dumps in case something burns down or disappears. It's another thing entirely, and arguably far from CCTV, to have outside contractors / employees able to view your creepy IoT camera network!

Genuinely curious: Does this trigger any GDPR consequences around use of biometric data against the idotic afflicted organizations?

Customer comment and contributions no more as Microsoft pulls the plug on Office 365 UserVoice forum

whitepines
Coat

Define "best"

we need to shift our areas of innovation and development to provide our customers the best possible experiences.

[Goes to load the latest interminable meeting or task list]

"[sad cloud icon] The Microsoft Cloud is having a whoopsie. Try again later."

Do that for a half an hour and (pre-virus) we could all go home / to the pub instead of the office, at which point Microsoft would have indeed provided "the best possible experience".

Wait, wasn't that ambiguity the plot of a certain Asimov series? Seems appropriate with the mention of the "AI-powered assistant".

whitepines
Alert

Re: Reality check

I suspect that the main reason why Linux is poorly treated is because it is thought by many companies that with Linux being Open Software, it becomes possible to hijack secure channels at the kernel level. This was certainly the argument back in the DRM-encumbered media days a decade or more ago.

And yet, somehow, it's Windows that's running a bunch of black box lowest-bidder Chinese or Indian code at kernel level. Go figure.

And don't tell anyone at Microsoft about what a hypervisor could do with those secure channels while running underneath Windows. Wouldn't want them to cotton on to the house of cards they've built.

GPS jamming around Cyprus gives our air traffic controllers a headache, says Eurocontrol

whitepines
Boffin

Any INS will drift over time, and is not something you want to rely on for an approach threading between mountains. With modern approaches requiring ever-increasing precision (RNP) and fewer (less precise) ground stations available than before, it's entirely possible that some regions now simply cannot safely accept air traffic in the case of a widespread GNSS outage. The net effect should just be redirected flights and angry passengers (not CFIT incidents), but that also depends on the quality of the spoofing equipment if more than simple jammers are in use.

whitepines
Coat

Re: And if you get jammed, it causes the map to shift

I was just about to post this. RAIM failures, which remove the GPS as a primary navigation source instead of just allowing garbage / incorrect position data to be shown / used, should be pretty hard to defeat. Doubly so if the altimeter is factored in to the RAIM checks.

I wonder if a badly flown VOR approach after a GPS outage was more to blame for the terrain warnings than straight out GPS spoofing. Yes, I'm being snarky and will grab my coat!

The wastepaper basket is on the other side of the office – that must be why they put all these slots in the computer

whitepines
Boffin

Re: Fire

That's generally what it is even today -- defective capacitors. They are placed across power rails that are able to source enough current to ignite the remnants of damaged MLCC capacitors. Once they go up, a nice film of resistive (as in partly conductive) carbon tends to coat the area, so on next power attempt the flame gets even bigger as the carbon ignites.

Texas blacks out, freezes, and even stops sending juice to semiconductor plants. During a global silicon shortage

whitepines
Joke

Re: 2 Hours South of Austin

It's almost like living in a third world country here at times.

When you reach the point where you don't bother to bag it any more and just leave it near the dumpster, Texas will have officially become a third world country.

Supermicro spy chips, the sequel: It really, really happened, and with bad BIOS and more, insists Bloomberg

whitepines

Re: Collusion

is visible by its certificate during the TLS handshake.

On TLS 1.2 and earlier, yes, assuming SNI isn't used. TLS 1.3 fixes this.

To be very clear I'm not saying the Bloomberg allegations are correct. I'm simply pointing out the fact that it not easy to detect this type of malware, and especially so if there is any kind of targeting of the supply chain attack (to weaker security environments) or intelligence in the payload (i.e. don't activate unless other SSL traffic spotted on the network).

whitepines
Devil

Re: Collusion

Compromised hardware will beat any software working above layer 1. The difficult bit is managing to get the compromised hardware installed at every step in the path where packets may be inspected.

With HTTPS for Microsoft services being strongly encouraged in Windows environments, and outside of special SSL MITM setups that may violate various laws (e.g. EU privacy laws I think prevent this), there is already a tremendous amount of uninspected traffic passed through an average corporate firewall. A few packets for the backdoor here and there in that sea of opaque traffic will quite frankly go unnoticed. Even in a MITMed environment, a smart backdoor would see that MITMing during the SSL handshake and immediately deactivate itself, making detection even less likely.

whitepines
Alert

Re: Not a backdoor

You can disable Intel ME entirely and disable the ME coprocessor if it suits your security model, just as you can use server hardware without IPMI features.

NO. No you can't. That's the whole problem. AMD has their PSP, Intel has their ME, ARM makers usually go one step further and lock the entire boot process on chips like Snapdragon, leaving a couple of alternatives like Power and RISC-V, and not much else.

What I find most interesting is the claim that Intel's network was invaded. That could range from anything to accessing a few employee workstations to stealing the keys to the kingdom (the ME signing keys), at which point a grain of rice type flash device could absolutely hijack the Intel ME, much like the Solarwinds mess.

If the (theoretical) attackers then used standard HTTPS traffic with a hard-coded range of IPs, the malware could probably communicate through most firewalls, especially in a Windows environment where activation requires this kind of communication to be allowed in the first place. The ME is more than powerful enough to support this kind of advanced malware...

Wine pops cork on version 6.0 of the Windows compatibility layer for *nix systems

whitepines

Re: Much as I like and use Linux

Yes. And since Windows is banished to certain firewalled network segments with no general Internet access, mainly to contain Microsoft's creepy spyware, that clause is a major problem!

whitepines
Alert

Re: Much as I like and use Linux

LIcensing,

This. Relevant to today with remote working, read the Win 10 "Professional" EULA carefully. One user per box if you're using RDP, or pay up for server. And the audits that come with it. And that's not one user at a time, no, it's one specific user only. If anyone else logs on, at any time, it's an automatic license violation. Which is great when the specialty application in question is network licensed, a royal PITA to install, and effectively designed for that instance to be shared among team members as required.

Given this, as a Linux shop Wine was a no-brainer for that one required application. Even though a couple bugs needed fixing before it was working properly, still came out far ahead on cost. No other Windows software, it's proven cheaper to write replacements or just avoid Windows-specific technology in most cases.

Must 'completely free' mean 'hard to install'? Newbie gripe sparks some soul-searching among Debian community

whitepines
Facepalm

Identity crisis?

The reason I use Debian, on purpose, is exactly the fact they don't ship proprietary software cleverly hidden away. If they start doing that, I'll have to start looking at other distros.

If.you want proprietary stuff you don't control, can't fix, and want to put up with all the privacy and security issues of using someone else's unaudited closed source software, there are lots of other options. Ubuntu and Mint leap to mind.

Police drone plunged 70ft into pond after operator mashed pop-up that was actually the emergency cut-out button

whitepines

Re: How to scare people, lesson one:

Does an unpowered drone fall with the passively rotating blades giving some compensating lift like an autogiro?

Considering a quadcopter has zero static stability, relying only on the flight computer and powered blades to stay upright, the most likely outcome is a tumbling drone falling much like a plastic brick of similar size and weight.

Beagleboard peeps tease dual-core 64-bit RISC-V computer with GPU, AI acceleration, more for under 100 quid

whitepines
Thumb Up

Re: Still waiting for an OpenRISC version

I never understood the RISC-V hype train either. A bunch of embedded, incompatible CPUs that seem more applicable to hardware like nVidia's Falcon units or embedded disk controllers? I had OpenRISC on an FPGA many years ago, fond memories but cheap ARM chips displaced the need over time.

Now a board with an OpenPOWER CPU on it... that might be interesting.

That would be awesome. I'd buy several, if they managed to be as open as the IBM offerings.

whitepines

Re: RPi4 vs Beagle V

I wonder why the contact info was nowhere to be found on the funding site. Regardless, might drop a line and see what the plans are.

The RPi is a very closed system, which is why this one would need to be open to make dealing with it worthwhile both in hardware cost and software support. I have no interest in rip and replace, one closed system replacing another closed system, but opening things up would potentially be worthwhile.

whitepines

Re: RPi4 vs Beagle V

There is a github, which has a schematic (with blurry images), block diagrams and a full bill of materials: https://github.com/beagleboard/beaglev

No firmware there though.

I note they were very careful to state open hardware (schematics etc.) and open software (presumably some kind of Linux) but they specifically avoided saying open firmware. That raises my suspicion at this point, especially since I have been completely unable to locate any firmware online for any device with the U74 cores.

I was going to mail them to try to get some clarification, but there seems to be no contact link, and that heightens my suspicions further.

If it's not completely 100% free of binary firmware I see no reason to replace my well-supported Raspberry Pis. Especially not for over £100 each.

whitepines
Alert

Re: RPi4 vs Beagle V

I wish that the Beagle V was better, but for the price, what you are getting is only worth it if it is truly blob free.

With all the PR bullshit and weasel wording on their crowdfunding site, it's quite unlikely this is the case. For a device that's supposed to ship in the next few months, either a statement stating open firmware (notably absent) or a GitHub link would be expected.

Buggy code, fragile legacy systems, ill-conceived projects cost US businesses $2 trillion in 2020

whitepines
Thumb Up

Re: Quality

How many of us would pay extra for a formerly free and open source product if it meant that the developer would be paid full-time and could hire additional full-time developers.

Sure, absolutely, but only if I kept getting the source code under the same terms, i.e. being able to modify and enhance without paying some kind of subscription fee in perpetuity even if the developer(s) stopped developing.

Open-source contributors say they'll pull out of Qt as LTS release goes commercial-only

whitepines

Re: The next generation will attempt to port the kernel to Javascript...

As someone admittedly not involved in mobile app development, what stops you from using the LGPL Qt version for a mobile app? The app stores themselves? Qt? Something else?

whitepines
Holmes

Re: One less reason to bother with QT.

Qt has always been KDE's Achilles heel. In fact I would go so far as to say that Qt is the main reason Gnome, XFCE, etc. are (as a group) more widely used -- KDE tends to finally reach a stable and just about usable point right as Qt forces some major shift (API breakage, licensing changes) that throws KDE back into complete chaos for yet another decade.

Wonder if the KDE developers will ever cotton on to this fact and start maintaining their own open-source version of Qt? Or will KDE continue on as a mere tech demo of old Qt technology?

Raspberry Pi to anoint ‘Design Partners’ it will recommend for industrial applications

whitepines
Big Brother

Conversely, this kind of requirement a.) can change (more than two employees? five? fifty?) and b.) means the companies on the list are probably more expensive than other more streamlined operations, including those that might primarily use contractors as a lower cost option.

My guess is the list probably won't be very useful for anyone other than "box tickers" at large corporations. I've seen this kind of thing come and go over the years, this won't be any different.

Social isolation creates craving in the same brain region as wanting food or addictive drugs, study finds

whitepines
Paris Hilton

Re: "Cravings for social interactions"

Mondays and Fridays is game night with my two best friends, the rest of the week is my wife and daughter, and that is all I need.

So you actually do have enough social interaction to satisfy the basal need identified by the study.

Your point was?

EU says Boeing 737 Max won't fly over the Continent just yet: The US can make its own choices over pilot training

whitepines
FAIL

Re: Two angle-of-attach sensors not enough

This is where the fact that the crew in the cockpit did not know how to fly became the issue.

This really is the crux of the matter. The computer is very good at following rules, the humans to some extent are there mainly to improvise and make best guesses as to what is actually happening when there isn't enough data for the computer to follow the rules (aided with some additional sensory powers the computer does not have, but hindered by not having other sensory powers the computer does have). The one thing the human can do that the computer cannot is make a series of guided guesses outside the normal flight rules that just might save the airplane from destruction, and even then history shows many humans fail at this fallback task when the computers give up.

In this case the computer absolutely could have kept the airplane flying along, but it would have had to know the problem was only the pitot tubes and that the captain's decision was to treat it as an airspeed sensor failure. At that point it could have kept the wings level and set the engine power to a known safe value. However, Airbus didn't design it that way, Airbus assumed the human backup pilot would take control, do an evaluation, determine the most likely fault, determine the correct course of action for the fault, and keep control of the airplane during and after the failure. The one thing the computer couldn't do was make the decision to handle the fault as a pure airspeed failure -- it just saw disagreeing sensors and, not being intelligent, threw its hands up and said it was done flying.

Simply put, pilots that cannot even keep the shiny side up with a single system inoperative (airspeed) using basic flying techniques are demonstrably worse than the automation in every way and should be barred from anything that looks like a flight deck!

Watchdog signals Boeing 737 Max jets can return to US skies following software upgrade, pilot training

whitepines
Joke

Re: Dating back to the 1096s

It also (very evidently, since it happened in this case) allows for the computer to decide that actually, it wants to dive into the ground irrespective of the pilot control inputs

Alright, who put Marvin the Paranoid Android in the captain's seat?

I'm going, I'm going!

Microsoft brings Trusted Platform Module functionality directly to CPUs under securo-silicon architecture Pluton

whitepines
Happy

Re: What Choice Do You Have?

I use Power on my desktop (a Blackbird system). A bit more practical than RISC-V, since it's in the same performance class as Intel right now. Main reason I did this is the lack of IME/PSP and no closed source rubbish in the boot process.

whitepines
Boffin

Correct me if I'm wrong, but didn't AMD already do this? The TPM functionality is implemented by the PSP, which makes largely the same claims as Pluton here.

Or was AMD lying somewhere about PSP capabilities?

Oh, and the PSP has already been hacked. Along with the IME. Seems the super secure secret environments running God-knows-what signed proprietary firmware weren't so secure after all! How is Pluton (supposedly) different?

The day I took down the data centre- I mean, the day I saved the day. Right, boss?

whitepines
Boffin

Are you certain the sudden loss of the load from that entire block isn't what caused the subsequent surge elsewhere?

whitepines
Boffin

Re: That's interesting

That doesn't sound like a useful thing to me

We use it for stress testing, mostly (in test environments). It's found several pile of poo switch vendors / models before they were put into production.

I's also been used at commissioning, to stress test entire networks. Put it on the fattest pipe and watch it do its magic, if nothing crashes the network is probably good to go for years.

Zoom finally adds end-to-end encryption for all, for free – though there are caveats

whitepines
Alert

Sorry to burst the PR bubble, but while the Zoom client and its encryption engine remains closed source Zoom can absolutely decide to break into an "E2EE" video chat with a simple update or even a list of users that Zoom has a second (backdoor) key for. All we have is a weak pinky promise that they won't listen in, so this is just a feel-good feature mostly saying they're not intentionally mass-hoovering the contents of every single conference that happens on their platform.

Give us an open source client that we can verify the encryption for, then there might be some actual confidence in this. Until then this is security theatre at its finest.

Cloudflare floats cloud grand unification theory based on zero-trust access and security

whitepines
Boffin

Can anyone explain how this "zero trust" concept is supposed to work? From my admittedly comfy work from home chair it seems that one has to trust:

...the device hardware / firmware / OS (closed source, hardware vendor controlled)

...the service provider and its software (closed source, provider controlled with a smattering of hardware vendor control underneath)

...the distribution system for updates to above closed components

...governments not to require backdoors in any of the above

...all over a public WAN, where any flaw in any of this could compromise the entire network / organization

Compare to the relatively small, known border of a traditional VPN solution (especially one built on open source software), where there is at least a tiny bit of defense-in-depth, and I see a ton of additional risk flags. In fact something smells distinctly snaky and feels oily about this...

Selling hardware on a pay-per-use or subscription model is a 'lie' created by marketing bods

whitepines
Thumb Up

Re: Cashflow & tax rules

I think CNC stuff is the closest thing to a replicator that we've come.

Spot on. How is it not near magic to throw a concept into FreeCAD, run Slic3r, then have the physical object from a Marlin-driven 3D printer an hour or two later. And all without anyone else's cloud or other leased machinery* in the mix, making it pretty much an exact comparison to the Star Trek replicators in terms of personal liberty. Yes, it's plastic and usually some assembly required, but still this is unprecedented and useful capability compared to even 20 years ago.

* We actually run the 3D printers on OpenPower hardware (no Intel ME / AMD PSP), Linux, and Arduino (no locked loaders etc.) at the machine end, This was carefully chosen so that the apparatus will work until some key part breaks and for some reason can't be manufactured and replaced, versus until some license runs out or planned obsolescence hits.

whitepines
Boffin

Re: Cashflow & tax rules

For the small amount of mechanical CAD our company does we actually settled on FreeCAD for the reasons outlined above. We tend to need to keep designs around for quite a while, and the subscription model meant that in addition to all the other risks there was a distinct risk of a 10 year old design simply not loading on the latest (and only) cloud version, forcing redesign / revalidation / recertification of the design.

Proposed US fix for Boeing 737 Max software woes does not address Ethiopian crash scenario, UK pilot union warns

whitepines
Paris Hilton

Re: Oh. My. God.

or have a lower runway for the same reason

Hrm?

Oh you mean 737 MAX Certified Runways. Two custom trenches for the engines to dangle down inside during takeoff and landing?

In all seriousness none of those things would work. Engines are shaped the way they are because they are designed by proper engineers (not Boing) for efficiency. You can't just change the shape and keep the efficiency / power / etc., and even if you could the cost (including MX) would probably higher for the custom Boing engines than the more standard ones used by everyone else.

Landing gear length is set very early on in the design and really can't be changed (much) afterward without redesigning half the aircraft. No more grandfathering in that case.

Boeing needed to put new engines on the 737 because they couldn't afford to design a new plane

This sounds about right. Boing lost in the market via the typical American story of greed leading to short sighted business decisions (who needs engineers or R&D?) and instead of quietly exiting stage left decided to kill 300+ people in the pursuit of even more dosh. How the board has not been brought up on charges at this point is quite beyond me.

Page:

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021