* Posts by whitepines

705 posts • joined 29 Aug 2017

Page:

Publishers sue to shut down books-for-all Internet Archive for 'willful digital piracy on an industrial scale'

whitepines Silver badge

Of all the things to attack about the publishing industry, I wouldn't start with the authors.

The authors could insist on continued availability of DRM free ebooks or paper books at reasonable prices. Those that just allow the publishers to set whatever terms they like for access to the content, at whatever prices the upper echelon of the market will bear (note that mandatory personal data sales / rental access is actually a price, and a high price for many), are very much complicit and partly at fault through inaction for the current situation.

The authors are the only ones that can change this part of the equation. They need to step up before outright piracy, or unpaid open works, become the social norm.

whitepines Silver badge

Re: But what about...

But I presume you expect publishers to keep printing every book ever made, just in case you may want a copy.

If they insist on 120+ year copyright, YES, while they are still under copyright protection. We didn't choose to put the publishers in that position, they put themselves there with excessive copyright durations.

If they can't at least make our culture available to us for purchase when we choose, then they should release the work to the public domain. Simple.

whitepines Silver badge

If you're one of the few that allows an un-DRMed ebook purchase, I applaud your efforts and would purchase those works and abide by the copyright on them.

Obviously what IA is doing here is not legal, I'm not sure how they managed to come to the conclusion that this was acceptable. That said, most publishers and authors have taken such a hardline stance on rental only content that something has to give somewhere, the copyright social contract has been repeatedly violated by the publishers via technology at this point, and I wonder if this is the first salvo in the coming war over what the new social contract for content will look like.

In the absolute worst case. i.e. if publishers refuse to compromise and return to at least some semblance the pre-digital status quo, it's very possible for society to choose to reject the legacy publishers entirely. I wonder if IA did this on purpose to challenge the current abuses by the industry, though I suspect they just screwed up here.

This is an issue that has been bothering me for a while now. One book I wanted access to costs well over £250 for the hardcover dead tree version, if you can get it at all, while the digital DRMed Windows-only spy-on-you-as-you-read Internet-linked version is only £30 or so. Nothing exists in between. Because I value my privacy and the permanence of my collection, I had to pay 9x more to read the work. If that's considered "fair" by publishers, it's no wonder society is starting to ignore copyright en masse.

whitepines Silver badge
Alert

Re: Welcome to the mordern world

If you'd kept copyright at sane terms (duration and license agreements) you might have an argument.

But, as it stands, you're reaping exactly what you've sown. You made the deal to keep things legal so terrible that society is simply ignoring you now.

Note I don't condone the piracy any more than I condone what copyright has turned into, but I will say that if I can't buy a paper copy, one on physical media (no Internet connection or authentication required), or a non-DRMed digital copy, I don't "buy" the work at all. I support open content as a means (really the only legal means) of protest as a direct result of DRM and related restrictions.

You have no one to blame but yourself.

eBay users spot the online auction house port-scanning their PCs. Um... is that OK?

whitepines Silver badge
Alert

And what do you think Ebay's response to you actively scanning their servers, perhaps behind their firewalls via exploits, "to protect against fraud" would be? After all, just because it says ebay.com in the browser doesn't mean their site is secure or that you are on the legitimate ebay.com.

I suspect the response would be in terse legalese threatening hacking charges and prison. It's the active penetration / behind firewalls part of what Ebay is doing that probably makes it illegal, but IANAL.

Das reboot: That's the only thing to do when the screenshot, er, freezes

whitepines Silver badge
Devil

Re: The nasty version

No, that's actually understandable to a German speaker. You need to make it unintelligible except for the "I can't understand you" bit.

IBM cuts deep into workforce – even its Watson and AI teams – as it 'pivots' to cloud

whitepines Silver badge

Re: Pivot

If they finally do sell the rest of their hardware divisions, yes, Itsy Bitsy Morons would effectively be in an assisted care facility, waiting to shuffle off this mortal coil...

whitepines Silver badge
Unhappy

Re: Cut loose, foot loose

You can get commercial time on a Power cloud over at Integricloud, and I think non-commercial time at a university in Brazil (?), but if you're looking for AWS style stuff you're out of luck at the moment. IBM saying it looked at cutting Power loose entirely won't help adoption there either, in my opinion.

It's a real shame, I love my OpenPower desktop, but it may end up being my last secure machine. Orwell always seems to win in the end, somehow...

If you're appy and you know it: The Huawei P40 Pro conclusively proves that top-notch specs aren't everything

whitepines Silver badge

Re: reviewer uses Google extensively

Have an upvote for the info. I completely agree on this -- it's not acceptable for Google to do it, and it's also not acceptable for Huawei to do it. Everyone wants to sell that juicy data instead of just selling decent hardware; of all firms you'd think Huawei might understand the distinction, but apparently not!

whitepines Silver badge

Re: reviewer uses Google extensively

Can we get a review from someone who doesn't like sending all their data to Google?

Seconded. I go out of my way to avoid and confuse Google's slurp machine already, and it sounds like this might be a perfect phone to use with Lineage, but I'd need to know if it's available with an unlocked bootloader or not.

How about phone reviews for both the Google lemming masses and the more tech-savvy, privacy-conscious crowd? Bonus points to use something like Nextcloud as the backend cloud storage instead of anything Google/Microsoft/Huawei!

India makes contact-tracing app compulsory in viral hot zones despite most local phones not being smart

whitepines Silver badge
Big Brother

Re: Could be

The fact that I went to the hardware store and supermarket last Thursday strikes me as being a data point whose value to anyone is as close to zero as it is possible to come without violating the laws of quantum mechanics.

Supermarket: Verify sanctioned "healthy lifestyle" purchases were made, if not, send fine due to predicted extra load on NHS.

Hardware store: Check for council approval on improvements, verify items bought are not used for terrorist purposes or to subvert the state in any way.

You're just thinking too small! Big Brother is watching...

Square peg of modem won't fit into round hole of PC? I saw to it, bloke tells horrified mate

whitepines Silver badge
Coat

Re: Saws

Considering I've only ever seen it spelled Mjölnir?

Or did you actually want to use a gun turret on your PC? I know using Windows 10 can make this seem like an attractive solution, but you can just install Linux you know...

Happy birthday, ARM1. It is 35 years since Britain's Acorn RISC Machine chip sipped power for the first time

whitepines Silver badge

Re: "All issues with management blobs etc. aside, this is a bit debatable IMO"

You're correct, for the SiFive stuff it's open source(ish?). For a while it wasn't, and I'll admit to not knowing if the underlying issue was fixed or if they just managed to hide the blob somewhere else that hasn't been looked into. If they managed to finally open source the entire firmware, that's good.

All I'm really trying to say is that as an OpenPOWER user on desktop I can't imagine going backward to where RISC-V is at, and it frustrates me to no end that RISC-V keeps getting the spotlight when it's actually quite inferior as it stands today. I know some of this is RISC-V was first to the gate as an open ISA, but from a technical perspective it's always been a bit of a mess.

The simple fact is, if I have $3,000 USD to spend I can either get:

* A RISC-V system with a few PCIe Gen 2 lanes and an ARM class CPU that can't run a lot of my software without fiddling around with it, plus doesn't have any real distro support and (one of the main reasons I won't touch it) could become nearly worthless with a future update to the ISA

* An OpenPOWER desktop system with near-x86 class cores and a bunch of PCIe Gen 4 I/O, that runs standard Linux distros and the vast majority of existing Linux software out of the box, and has an established backward compatibility track record. And uses a standard form factor to boot.

Both are open ISA, yet one seems on paper to be an objectively better choice. Given the options, why doesn't OpenPOWER get the same interest as RISC-V at this point? I'm genuinely confused...

whitepines Silver badge

Re: "Not sure why El Reg keeps only highlighting RISC-V as the One True ARM/x86 Killer"

capable of running desktop Linux.

All issues with management blobs etc. aside, this is a bit debatable IMO. Looking at the Debian archive build status * (which unfortunately is b0rked at the moment) RISC-V has a lot of software that just doesn't build. It's in the ports tree, not main Debian, and frankly with the lack of standardization on what the ISA actually is / does or does not include it's not going to be an easy thing to try to support in the larger software packages. Best case I expect it to break apart into several flavors (as ARM once did with the original Raspberry Pi -- remember Raspbian specially built packages?), worse case it may have enough incompatible hardware in the wild not to gain traction in the major distros for many many years.

Most of the cited examples have one thing in common. They are all largely embedded devices (even if fairly powerful) where the vendor has control from cradle to grave, so it doesn't really matter if binaries for one implementation run on another. This is how ARM development was done for years before SBSA and similar initiatives, and I just have no appetite for that on desktop personally. I tried ARM on desktop in that timeframe, and it just got to be too much of a pain in the rear to continue -- having to compile almost everything outside of the kernel and base system components means you end up running outdated insecure software in the long run. I can apt-get / dnf anything I need from the main distros on x86, ARM, and OpenPOWER -- RISC-V is just not there yet and it has a long road to go.

I want an open system to succeed, but I just don't see RISC-V being a viable desktop or server option without some serious re-thinking of how they approach ISA design and ecosystem maintainence. The fact that the majority of RISC-V chips by volume ship in closed, locked products is something of a reinforcement from industry of that viewpoint.

* https://buildd.debian.org/stats/graph-ports-week-big.png

whitepines Silver badge
Coat

I'd think the threat from RISC-V is lower than that from OpenPOWER, but then again the threat from both combined is more significant than from either one alone.

Not sure why El Reg keeps only highlighting RISC-V as the One True ARM/x86 Killer, it's not the only open ISA out there, and in point of fact it's currently the one with the least amount of usable open-friendly silicon available for purchase, and also the one where most of the existing open source software simply won't run. And with those trends not changing very quickly, if at all, it's not currently a serious threat to all but the smallest ARM designs in reality.

Elevating cost-cutting to a whole new level with million-dollar bar bills

whitepines Silver badge
Joke

Re: ...in order to itemise a customer's bill...

when a cheap and simple SEP Field generator would have made the problem disappear.

I hear a 5G mast (the more visible the better) works wonders to generate a SEP field...

...it doesn't even have to do 5G. A decoy is much cheaper for the same effect!

IBM Watson GPU cloud cluster Brexits from London to Frankfurt – because GDPR

whitepines Silver badge
Facepalm

Re: Pointless And Political

There's an article in this fine publication about new UK snooping laws. Why is anyone surprised this little island (wannabe) dictatorship isn't magically compliant with GDPR at the same time?

whitepines Silver badge
Linux

Re: Genuinely...

or has this computationaly big been running for >3 years without modification?

Clearly you have no experience with academic code, as in software written by PhDs that have nothing to do with computer science but are Big Names in their chosen field (material science, for instance). Poorly written doesn't quite capture the spirit of the thing.

Icon 'cause some of them only code for Windows. On software intended for supercomputers.

Why should the UK pensions watchdog be able to spy on your internet activities? Same reason as the Environment Agency and many more

whitepines Silver badge
Facepalm

Re: Extraordinary surveillance powers set to be injected into govt orgs

but they still need revenue

And when the companies and developers creating that revenue dry up because they won't work in a backward little nation like Blighty that wants to pretend it is anything more than a poor English copy of a much more powerful Asian surveillance dictatorship?

Oh, right. Consequences are something new and undiscovered for politicians.

OK brainiacs, we've got an IT cold case for you: Fatal disk errors on an Amiga 4000 with 600MB external SCSI unless the clock app is... just so

whitepines Silver badge
Boffin

Re: My favourite timing bug

Probing the LM723 power regulator chips pins fixed it for several months.

My best guess is that you found a cracked solder joint, probably in some feedback circuit where current was almost non-existent. Physically touching it re-made the connection enough for it to work, but it would have worked loose again over time.

You could have used a non-conductive stick to do the same thing and it would have "fixed" it just as well. Maddening failure mode, I've had a few in my career. Easy to keep in mind that with normal circuits if it's a signal margin error, removing the probe always causes the issue to reappear almost immediately.

Internet Archive justifies its vast 'copyright infringing' National Emergency Library of 1.4 million books by pointing out that libraries are closed

whitepines Silver badge
Facepalm

Re: It has been pointed out ...

Not as ignorant as you'll be when you can't afford to renew your (future) PPV reading license!

Me, I'll stick to dead trees. They don't have a habit of vanishing into thin air, and if they do the police are happy to investigate.

whitepines Silver badge
Boffin

Re: Disengenious

I understand why people think that IP law needs a comprehensive re-think. I don't get why people think that they can just ignore laws because they don't like them.

Probably because:

a. "copyright infringement" in the manner discussed, especially when it's just DRM bypass, is a true victimless "crime". In many cases the law (copyright) also goes against morality; we have copied from one another since our very first days as a species and inherently we know that restricting copying for more than a short duration is intrinsically bad. Especially when an improvement is completely locked away for no other reason than a corporation's selfish greed (e.g. the Disney Vault -- that business practice should be made illegal if we have to put up with copyright as-is).

b. Any discussion on reforming copyright is demonstrably a lost cause. Copyright is enshrined in treaty and shrouded in pathos ("the poor authors! they'll starve!"). The only outcome of legislative discussion on copyright for the past century has been more and more expansion of it and more and more draconian restrictions.

Given that track record, civil disobedience is apparently the only way the people can make their voice heard.

whitepines Silver badge
Facepalm

Re: It has been pointed out ...

take money out of the pockets of those who need it the most – American authors.

What a bunch of whiny crybabies. Business is hard, grow up -- you have the easiest job in the world with guaranteed legal protections on your work. Many others just muddle through with far fewer protections, including some fairly large corporations you just might have heard of like Siemens. And they're not whining about work they did 50+ years ago being copied.

Maybe if you and your ilk hadn't extended copyright to cover multiple generations people would actually care, but as it stands your own incompetence in making a living wage over a period of 120+ years per work with a DRM locked subscription model forced down your victims' customers' throats for added insult is not society's problem. We (society at large) simply don't care about your whining any more -- you've made the deal so bad that you can simply disappear and take your copyrighted rubbish with you as far as we're concerned.

By all means, don't get copyright duration under control, keep forcing renting and streaming of works, keep locking copyrighted works behind obtrusive, ineffective, privacy-invading DRM, and all you'll see is more and more people choosing to "own" a pirated copy instead of paying monthly or paying per view. Stop taking money out of the pockets of hard working American people -- many of whom work on a wage so low they can barely afford food and housing -- to fund your lifestyle through subscriptions, then, and only then, maybe you'll gain some respect. As it stands you don't even deserve a seat at the table.

Oh, and trying to profit from COVID19? That's just sick -- it shows where you really stand. Authors seem to be all about the money these days.

AMD dials 911, emits DMCA takedowns after miscreant steals a load of GPU hardware blueprints, leaks on GitHub

whitepines Silver badge
Trollface

Re: So let me get this right...

Probably a Ryzen laptop...running Windows, naturally...

whitepines Silver badge

I'm biased because I only really ever use Linux / BSD, and use a Power desktop, but the Open Power systems are actually quite good replacements for normal desktops and servers. The big drawback is there are no mobile devices, and of course Windows will not run but I think if you are running Windows the CPU hardware and firmware security is the least of your worries.

I also have a couple of ARM laptops. They are adequate, nothing special, but they do get the job done.

whitepines Silver badge
Alert

And yet, somehow, we're supposed to just trust that no one has stolen, or could ever steal, the Platform Security Processor master keys?

This should be a wake up call to anyone still willing to blindly trust AMD (or Intel!) for the continued security of their data.

The shelves may be empty, but the disk is full: Not even Linux can resist the bork at times

whitepines Silver badge
Joke

Re: The cruft builds up

Canon "Canada Goose" edition!

Britain's courts lurch towards Skype and conference calls for trials as COVID-19 distancing kicks in

whitepines Silver badge
WTF?

Where exactly is it written that if you are arrested you have to give extremely private information to a foreign corporation (Microsoft) at trial?

Captain Caveman rides to the rescue, solves a prickly PowerPoint problem with a magical solution

whitepines Silver badge
Alert

I'm surprised so few people are talking about this. I'm not sure if it's a case of the poor don't matter and deserve to die (which I strongly disagree with) or if it's just plain stupid shortsightedness, but from the first day this was a concern I had.

Surge in home working highlights Microsoft licensing issue: If you are not on subscription, working remotely is a premium feature

whitepines Silver badge
Happy

Meanwhile, our corporate xrdp servers behind a certain popular open VPN server package continue to chug along as if nothing happened.

One of the reasons for removing Windows from our network was this exact problem. The EULA for Windows changed with Windows 10, to the point of being worse than useless (i.e. a sueball attractor) if CALs aren't purchased. And when you look at CALs, you need Windows Server, not Windows Professional or whatever it is called these days. Bottom line is that it was cheaper and safer to migrate to Linux and use Wine for those handful of legacy Windows-only apps that prior to 10 were running on native Windows on a small number of firewalled boxen. Since the corporate systems were already mostly Linux and BSD-based (including desktop), it was a bit of a no-brainer with that EULA change.

Look ma, no Intel Management Engine, ish: Purism lifts lid on the Librem Mini, a privacy-focused micro PC

whitepines Silver badge
Trollface

I'm not sure either of those fills me with much confidence.

Right on -- at one point, evidence of one backdoor would have been taken as strong indication there are others. Have we actually reached a point where cheap is that much more important than secure, to a point where the industry is willing to purposefully turn a blind eye to these things to maintain the illusion?

Oh, right, IT. This is just another way for the PHB to under-spec kit and make the beancounters happy. Too bad the GDPR doesn't make the PHBs that sign off on this kind of thing personally liable for the predictable consequences.

whitepines Silver badge
Happy

If the objective is to build something free of backdoors in the CPU, wouldn't you base it on OpenRISC, or at least ARM?

Strange choices. The two leading open ISAs today are RISC-V and Power, and both are already usable for low compute power tasks in FPGA. The latter does have nice server / desktop chips available too, unlike the ARM server chips that always seem to come with IME equivalents. Agree with the general sentiment though, Intel (or AMD) and security do not belong in the same sentence unless the word "vulnerability" is also used.

whitepines Silver badge
Facepalm

Erm, you just said "aside from MEI". Since Purism isn't removing or disabling it, there is persistent storage attached to the CPU, and you cannot remove malware injected into it just by a reboot.

whitepines Silver badge

Re: 5V and 12V rails

This thing has DMA access to the entire system. USB, network, add-on cards, you name it, it has access.

So no, that won't work.

whitepines Silver badge

Re: If they are touting security ...

It it possible to disable AMD's PSP?

No. And don't be misled by the "PSP disable" setting in some BIOS versions. It should have been labelled "hide PSP" not "disable PSP", as the former is what it actually does.

Meltdown The Sequel strikes Intel chips – and full mitigation against data-meddling LVI flaw will slash performance

whitepines Silver badge
Unhappy

Re: If these exploits carry one

Downvotes inbound, but...

That "PSP disable" switch only asks the PSP if it would be so kind as to stop doing whatever it does. Same with the IME disable (HAP bit).

I suspect Intel fed said government agencies a load of bollocks, made them feel better about HAP (it "disables" the IME!" when in fact it does no such thing), and any renegotiation in light of the actual facts of the matter would be happening behind closed doors at this point.

Possibly with a mess of high powered lawyers.

Or maybe the government is OK with a backdoor. We don't have any way to know, though I have been told repeatedly by folks in the know that not even the major world governments have IME source code, let alone PSP source code.

whitepines Silver badge

Re: If these exploits carry one

My answer to AMD's PSP is the same as the Intel IME, just get rid of it.

Um, you can't. Who told you it was possible?

If you remove the PSP or the IME firmware you are left with an unbootable brick by design. Don't confuse marketing BS with actual facts.

whitepines Silver badge
Flame

Re: If these exploits carry one

I suspect I have found one of those irritating serial downvoters on any comment that dares even so much as hint AMD isn't some sort of panacea.

What's your answer to the AMD PSP? Just trust AMD do to do the right thing with their firmware, especially since they have no penalties if they do leak data from that firmware?

It's entirely within the realm of possibilities for one team in AMD to make a good core and another team inside AMD to hobble it with DRM interest related rubbish. I believe the technical term is "shooting one's foot".

whitepines Silver badge
Facepalm

Re: If these exploits carry one

Other makers may well desert Intel and switch to AMD.

Out of the frying pan and into the fire. There's an article today in this august publication exposing an AMD speculative vulnerability, and AMD has yet to be scrutinized as heavily as Intel.

Two sides of the same coin, really. More concerned with protecting Hollywood interests and commercial software than with the security of your data.

Supply, demand and a scary mountain of debt: The challenges facing IT as COVID-19 grips the global economy

whitepines Silver badge
Unhappy

they probably can't pay their IT supplier...

That right there is the problem. I'm increasingly concerned this will cement Slurp and co. and help drive anyone smaller to the wall.

Worse, the effects will be delayed. Normally I'd say start polishing CVs, but this time I'm thinking start looking at career shifts. Problem is I don't know where IT folk would fit in a new career.

Chips that pass in the night: How risky is RISC-V to Arm, Intel and the others? Very

whitepines Silver badge
Thumb Up

Re: Power ISA?

I wish Raptor sold a laptop.

I would buy one! Though it must have a proper screen and keyboard, none of this chicklet rubbish that seems to be popular right now. Or at least modern laptops certainly feel like chicklet keyboards.

Perhaps I'm just old.

whitepines Silver badge

Re: Power ISA?

Of course not. It's too new.

POWER has been going for thirty years.

Good points. What do you see as RISC-V's advantage over POWER, aside from the current hype train surrounding RISC-V? Genuinely curious, both seem interesting, though I still find a Beaglebone tends to do everything I need in an SBC at a more affordable price than an equivalent RISC-V thing.

whitepines Silver badge

Re: Power ISA?

Not to mention you can get entire desktops and servers with Power from Raptor Computing Systems. I can't recall seeing an equivalent for RISC-V.

Oh, and the firmware is all open source alongside the open ISA, too:

https://git.raptorcs.com/git/

I use one of their desktops. Yes probably biased but I like it, and they do sell to Blighty!

'Unfixable' boot ROM security flaw in millions of Intel chips could spell 'utter chaos' for DRM, file encryption, etc

whitepines Silver badge

Re: Missing the point....

I know for a fact they just haven't been analyzed as much. AMD still has the exact same "keys to the kingdom" problem, they're just at a much smaller market share so interest in cracking their key versus Intel's key is a lot lower.

Same way Linux doesn't have many viruses -- tiny market share in terms of gullible PC users, so just not worth the effort to crack (yet).

whitepines Silver badge

Re: The best.

Not sure about other current CPUs but it seems to me that "old hardware from the early 2010s" lacks this kind of secure enclave altogether so would still be less secure then the new stuff with the vulnerability.

Depends on use case, but the older hardware tended to have isolated TPMs so would still have secure enclave support (ish) whereas with this vulnerability even something as basic as secure boot or firmware signing is completely trashed.

The new hardware of course has (at least on the Power side) secure enclave type functionality. ARM has its TrustZone, but SoCs with TrustZone and open firmware for it aren't the most common. Given a choice I'd use the newer chips that aren't from Intel or AMD but for those that feel they absolutely must game on their PC the old hardware is likely the only thing that will work.

whitepines Silver badge
Alert

Re: The best.

no problem whatsoever if you are prepared to switch to AMD.

AMD has pretty much the exact same system in play, it just hasn't been attacked as earnestly as the IME yet. Look into the PSP. This is only good news for AMD if they can continue to lie about their security focus while still forcing the exact same DRM model that has brought Intel to this situation.

To get away from it you can select from certain ARM CPUs, Power, or RISC-V. Or, use old hardware from the early 2010s or before. Ryzen, Epyc, etc. are not going to get you away from this!

whitepines Silver badge
Happy

Re: Missing the point....

Good news for AMD of course

AMD has pretty much the exact same system in play, it just hasn't been attacked as earnestly as the IME yet. Look into the PSP. This is only good news for AMD if they can continue to lie about their security focus while still forcing the exact same DRM model that has brought Intel to this situation.

Go ahead, downvote me for daring to speak against Team Red...

whitepines Silver badge
Angel

This is exactly why we use ARM and Power systems (though technically those systems are chosen only for the open firmware, it's mainly that those two architectures have CPUs with open firmware that are powerful / pervasive enough to be useful).

I just can't believe it's taken this long for the master key to leak...

...which makes me suspect it's already been extracted some time ago, just not in white hat circles / publicly.

Wonder what the GDPR implications are, since it's not exactly like the IME was a secret for the past 5+ years? Shouldn't purposefully choosing a cheap, but insecure, platform to store protected trigger some fairly nasty fines now that data leak (especially of, and I quote, "encrypted" data) is possible? Especially since the decision was purely to minimize cost on "that IT cost centre"?

Let's Encrypt? Let's revoke 3 million HTTPS certificates on Wednesday, more like: Check code loop blunder strikes

whitepines Silver badge
Megaphone

Re: Minor arse-ache

Well, if you manage to cock up *that* simple of a command, multiple times even, you should seriously be considering a career change. To one that does not involve electrons.

The problem is that all it takes is one cock up (e.g. "up enter" accidentally re-running the update command, in an environment primed with "update often" where re-running an issuance command is not expected to be able to knock everything offline). Or even in some cases no cock up at all is required; the company referenced earlier basically did this:

* Set short update interval (which is encouraged, given short cert expiry times!)

* Migrate several subdomains from a commercial cert to LetsEncrypt over a period of several hours (this was before wildcard DNS, the systems involved were quite complex, and under no circumstances was "shut it all down for hours to enable a single, untested cert migration" an option)

* Test the automatic update system with one last manual update. Oh bugger, API request limit hit with that last test, no way to override, sites offline, scramble for commercial cert.

When the limit is hit it shouldn't immediately knock out requests for days. It should soft fall back to minutes and maybe increase over time to hours then days, and in all cases LetsEncrypt should always be able to override it (possibly for a small fee if it was customer induced stupidity versus an external attack).

In fact there's some concern a neer-do-well could effectively knock sites offline via a DoS attack using this little known "feature" of LetsEncrypt, though I haven't really looked into it in detail.

And don't give me any bull about LetsEncrypt having a useful staging environment. It literally goes after your public Web servers on your production domains to even issue the certs in the first place, so you can't have a fully isolated staging environment that would have prevented the sequence above.

Page:

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020