* Posts by Crypto Monad

247 posts • joined 14 Dec 2017


Space tourists splash down in Atlantic Ocean after three days in orbit

Crypto Monad

The BBC reports:

"He [billionaire Jared Isaacman] had paid an undisclosed sum - estimated by Time magazine to be about $200 million (£145 million) - to fellow billionaire Elon Musk for all four seats aboard the Crew Dragon."

Citibank accidentally wired $500m back to lenders in user-interface super-gaffe – and judge says it can't be undone

Crypto Monad

Re: Double keying already used in some banking applications

The two entries are then compared with each other to ensure that they match. This process is used in military and BANKING APPLICATIONS

Obligatory xkcd: 970

Why we abandoned open source: LiveCode CEO on retreat despite successful kickstarter

Crypto Monad

Re: Eight years and this is the first I've heard of it??

In a computing magazine from the early 1980's I saw an advert for "The Last One" (TLO) - supposedly the last programming language which would ever need to be written, because anyone could program in plain English.

Now it's just a footnote to history in the briefest of wikipedia pages, although the example shown is very illuminating as to how rubbish it was.


This drag sail could prevent spacecraft from turning into long-term orbiting junk. We spoke to its inventors ahead of launch

Crypto Monad

Re: Fifteen kilograms?!?

I think the relevant question is: how does the drag you get from deploying that sail for 10 days, compare to the impulse you could get from burning 15kg of rocket propellant?

Tachyum's Prodigy emulator achieves first boot, runs Linux and says 'hello, world'

Crypto Monad

Or it doesn't exist at all, except to con money out of investors.

If they're really about to release the FPGA emulator to customers, then at least someone will get a look at what the instruction set looks like, and how novel it really is.

Have they patented anything? Then the patents will be published.

US boffins: We're close to fusion ignition in the lab – as seen in stars and thermonuclear weapons

Crypto Monad

Re: Self sustaining

They say it releases "about 70 per cent of the laser energy shot at the target"

What they don't say is what percentage of the electrical energy fed into the laser is converted into laser energy.

Engineers work to open Boeing Starliner's valves as schedule pressures mount

Crypto Monad

Re: Tip of the iceberg?

And equally - if they don't understand *why* half the valves are sticking, what chance is there that the problem won't reoccur?

Elastic amends Elasticsearch Python client so it won't work with forks then blocks comments

Crypto Monad

Re: Ugh...

> If you look back at the history of open source you'll generally see that people understood from the word go that it would never be the sole basis for a commercial product.

Not necessarily. The BSD licence is so permissive that it allows code to end up in proprietary, commercial products. This is by design: the people who work on BSD understand this very well.

In a complete non-surprise, Mozilla hammers final nail in FTP's coffin by removing it from Firefox

Crypto Monad

Also remember that SFTP and FTPS both exist, and are two completely different things.

(One is a subsystem of SSH. The other is the regular FTP protocol, over TLS)

Cut us some Slack: $27bn+ later, collab tool officially belongs to Salesforce

Crypto Monad

Re: Mockery

By "too big to fail", do you mean "so important to society that governments will be forced to bail them out" (like banks)? Or "so cash-rich that they can always buy up any upstarts that try to displace them?"

I don't think Salesforce/Slack or even Microsoft fall into the first category. If they fail, it will be because they cease to innovate and their customers move to something which meets their needs better. The only requirement to stop this being catastrophic is to ensure that all customers have the right to export their data in full.

Twenty years ago, everyone had a Nokia phone. It could have been argued at the time that they were "too big to fail". They failed - and the world moved on.

Not only is Hubble back online after outage, it's already taking photos of the cosmos

Crypto Monad

That's because the Amazon Prime rocket only does up-down fairground rides. Getting into orbit requires way, way more energy: roughly about 100 times more.

Richard Branson uses two planes to make 170km round trip

Crypto Monad

Re: Exaggerated hype

As it happens, they got to 53 miles, not 17 miles.

However, the height is almost irrelevant. Only about 1% of the energy required to get into orbit is to get up to the right height; the other 99% is in the kinetic energy required to travel laterally.

Increasing their rocket power to get to 100 miles or 200 miles would not get them into orbit; it would just increase the time slightly before falling back to earth. That's why what SpaceX is doing is a *much* bigger deal.

Crypto Monad

Re: Papa Elon

> New Shepard hasn't flown manned yet. This is still testing

New Shepard is completely automatic. There is no need for a pilot, and all testing can be completed without any (real) bodies on board.

Boffins say they've improved on algorithm for dynamic load balancing of server workloads

Crypto Monad

Re: Whats old is new again

No, this is nothing like "the old probes that pulled server metrics such as CPU and RAM when doing weighted load balancing"

To understand what this is about, imagine a distributed object storage system. There are M servers ("bins"). Each incoming object ("ball") is written to one of those servers. You want to distribute them evenly, so that you don't run out of capacity on one server while others have free space.

When writing, it would be easy to pick the one with the most free space. That's what you're describing.

The problem is, how do you *read back* a given object? Either you have to search for it across every server, or you have to maintain a huge database of every object and its location.

To avoid the huge database, you want to locate an object from just a hash of its name. Such an algorithm will necessarily require objects to be moved when you add or remove a storage server, and you want to minimise the number of movements in that case.

This is what storage systems like Ceph and Swift do. They use variations on "consistent hashing" which is mentioned in the paper as the previous state-of-the-art. However, such algorithms give effectively 'random' distribution. If all the objects are the same size then this gives pretty good results, but if you have a handful of huge objects mixed in, you can get badly out of balance.

The paper describes a better algorithm which avoids having a central database, maintains a good balance within some constraint factor, and minimises the number of servers you have to look on to find a particular object.

This is a big deal. You should give them credit for it, rather than dismissing something you don't understand as being nonsense.

Why won't you copper-ate? Openreach offers capped fibre line rental to wholesalers in bid to shift all that FTTP

Crypto Monad

Re: 26M premises…

About 30M properties in the UK in total.

Openreach to UK businesses: Switch is about to hit the fan. Prepare for withdrawal of the copper-based phone network now or risk disruption

Crypto Monad

Re: The future is coming

> Ask for an advisory date for FTTP (or even how far we are down the rollout) and an answer there is none. Which complicates planning a little.

That's because switch-off of the PSTN is *not* linked to the availability of FTTP.

Come 2025, if you have no FTTP, you'll still be getting Internet via FTTC (or heaven forbid ADSL). However your voice service will be delivered over that, as VoIP, rather than analogue narrowband signals injected directly over the copper.

You can start switching to VoIP today. There are many providers of IP-based telephony services. If you have a PABX in the basement linked to an E1 trunk, now is the time to get rid of it.

In terms of alarm companies, you'll need them to provide a service which works over IP. Again, you can move to that as soon as the alarm company has a workable IP-based solution.

How hot is it right now? 'Water park catching fire and burning down' hot

Crypto Monad

It wasn't a Sea Parks by any chance was it?

BT promises firmware update for Mini Whole Home Wi-Fi discs to prevent obsessive Big Tech DNS lookups

Crypto Monad

Re: flaw only affected those users with custom DNS setups on their personal networks.

A while ago, Unifi APs started calling home to the vendor to report stats.

Now my Unifi APs have their management address on a separate VLAN, which blocks *all* outgoing traffic. The controller sits on this VLAN too. And I only open up outbound access from the controller when fetching a new firmware version.

It's sad that we can't trust vendors not to spy on us these days.

Ireland warned it could face 'rolling blackouts' if it doesn't address data centres' demand for electricity

Crypto Monad

Re: Lucky Ireland

I was going to say the same: if power is short, why not load shed the data centres? They have diesel generator backup, after all.

BMA and Royal College of GPs refuse to endorse NHS Digital's data grab from surgeries in England

Crypto Monad

We have the web now: it could be made opt-in on a case-by-case basis.

"We have a request from <insert company> to perform research on <insert topic>. For full details of the study see <insert link>. Do you consent to be included?"

Seagate finds sets of two heads are cheaper than one in its new and very fast MACH.2 dual-actuator hard disks

Crypto Monad

Re: Not new

All modern hard drives do this.

You have a queue of outstanding requests on the bus (SATA/SAS etc). The drive optimises its seek path across the platters, using its knowledge of the rotational positioning of sectors as well as elevator seeking.

The more parallel I/O you're doing - i.e. the deeper the queue - the more opportunity it has to improve the total throughput.

Wyoming powers ahead with Bill Gates-backed sodium-cooled nuclear generation plant

Crypto Monad

Re: Go for it

> Hence the Hinkley Point development where EDF is spending £23 billion to build a new reactor

The question is, will they still be around to pay to decommission it at the other end of its lifetime?

Broadband plumber Openreach yanks legacy copper phone lines in Suffolk town of Mildenhall en route to getting the UK on VoIP

Crypto Monad

Re: OMG - El Reg: this is a tech journal

The first paragraph of the article got it wrong in almost every important detail. There is no copper stop-sell in Mildenhall. They are not "also" withdrawing analogue voice; they are *only* withdrawing analogue voice.

The stop-sell in Mildenhall is much more limited than Salisbury. Copper will remain for ADSL/FTTC connections.

However, it is certainly true that you will need a UPS to make landline phonecalls during a blackout (if you can't receive a mobile phone signal).

Crypto Monad

Re: OMG - El Reg: this is a tech journal

El Reg has indeed got it wrong here.

Unlike Salisbury, where they've gone full-on to FTTP, the stop sell in Mildenhall is *not* on copper; it is on analogue voice services only. Copper remains for providing xDSL services, and voice will be carried digitally over that.

The phasing out of the PSTN (analogue voice) will be complete by 2025, whereas the phasing out of copper has no date set. Openreach's public goal is about 70% coverage by "mid to late 2020's", so there will still be substantial amounts of copper remaining well into the 2030's.

You can get a more accurate summary at ispreview.co.uk - and from the horse's mouth at Openreach's Mildenhall page.

Someone has to pay to keep the lights so data-viz outfit Grafana switches licence regime to AGPLv3

Crypto Monad

Vendors don't choose to provide cloud services because of licences. Ask yourself why Microsoft pushes Office 365 so heavily over the on-prem products, when they own the licences anyway.

Vendors provide cloud services:

- to get a recurring revenue stream

- to control upgrades and bugfix releases

- to simplify support processes

- because many customers don't want to manage servers any more

- ... etc

Docker Desktop for Apple Silicon is here, but probe a little deeper and you'll find Rosetta 2 staring back

Crypto Monad

Re: It’ll be interesting to see what limitations pop up

AWS have Graviton ARM VMs you can rent, up to 64-core bare metal, at about half the cost of equivalent Intel ones.

Lots of people run Raspberry Pi as desktop and/or server. Plenty of other ARM-based boards out there too, e.g. NASes and routers.

Oh hello. Haven't heard much from you lately: Linux veteran Slackware rides again with a beta of version 15

Crypto Monad

Re: one of?

> Not one of the oldest? THE oldest.

I don't think so. The first Linux I ran was Soft Landing Systems (SLS), and according to Wikipedia at least, Slackware was a fork of that.

It certainly was buggy: I remember that the permissions on the /var/spool/mail directory were set wrongly out-of-the-box, so that you couldn't even send mail between two local users. But fixing that sort of problem was a great way to learn how Linux/Unix actually worked :-)

Windows comes to Apple M1 silicon as Parallels delivers native desktop hypervisor

Crypto Monad

Hypervisor framework

"UTM" is a GUI wrapper that lets you use this for free:



FreeBSD 13.0 to ship without WireGuard support as dev steps in to fix 'grave issues' with initial implementation

Crypto Monad

Re: Why is Wireguard in the kernel?

The cool kids are doing networking in userland anyway. See for example VPP/DPDK, commercialised as TNSR (coincidentally also by Netgate)

Absolutely fab: As TSMC invests $100bn to address chip shortage, where does that leave the rest of the industry?

Crypto Monad

Re: More capacity needed anyway

More capacity is needed partly due to "the increased use of semiconductors in vehicles"

Can someone explain to me why a car needs anything more sophisticated than a 6502?

And the Turing Award for best compilation goes to... Jeffrey Ullman and Alfred Aho

Crypto Monad

What happened to Ravi Sethi?

... the other co-author of the Dragon Book. He doesn't get a mention :-(

Blockchain may be the machinery of mischief, but it can't help telling the truth

Crypto Monad

Re: Typical cloud/IoT issue of "if the server goes down, yer f*cked"

> So of any of these servers go down, or the companies hosting them go out of business or just plain decide to not host them any more... your NFT is gone and there's nothing you can do about it.

The NFT should just contain an SHA256 hash of the image or whatever. It doesn't need to provide a way to retrieve it. Ownership of a URI is useless, because the content at that URI can change anyway.

> And something the tweet doesn't cover: if I go to that URI, then I can simply download your NFT.

That's missing the point. You're not downloading the NFT, you're downloading the image that's linked to it. You have a copy of the image, but you don't "own" the image. The NFT asserts ownership, and allows you to transfer that ownership. It's not a copy-protection mechanism. It's more like a certificate of authenticity.

Crypto Monad

Why do you think that blockchain would be at all applicable to this situation?

A vaccination record ("person X has been vaccinated") has no value in the blockchain if just anyone can put it there. But if it's signed by a trusted third party - the NHS, say - then it's the signature that matters, not the fact that it's in the blockchain. Vaccinations aren't transferrable, so a record of "ownership" of the vaccination being transferred from one person to another doesn't mean anything.

For the same reason: "The holder of this token is the only legitimate owner of the original artwork Pig In A Frock Playing Poker With A Chimp, Bill Gates 2021, pixel-in-DRAM" has no value, unless you can prove that the person who put it there in the first place was Bill Gates (or someone with delegated authority from Bill Gates)

PHP repository moved to GitHub after malicious code inserted under creator Rasmus Lerdorf's name

Crypto Monad

And in particular, it would be good to know what git hosting software they were using (and what version), or whether it was a plain old SSH repository.

Excel-lent: Microsoft debuts low-code Power Fx language... but it is not really new

Crypto Monad

Re: why this continuous creation of new languages


SD card slot, HDMI port could return to the MacBook Pro this year, says Apple analyst

Crypto Monad

It always struck me as incredibly wasteful to tie up a 40-gigabit Thunderbolt 3 / USB-C port just for charging the laptop (especially if you have only one or two).

A separate dedicated power port makes much more sense.

I've been sticking with my 2015 MBP, which has two TB2 ports, two USB-A ports, HDMI, SD card, Magsafe 2 charging, and 3.5mm audio: they all get used at various times.

Decade-old bug in Linux world's sudo can be abused by any logged-in user to gain root privileges

Crypto Monad

Re: How is this possible?

Fixed by macOS security update 2021-002

$ /tmp/sudoedit -s '\' `perl -e 'print "A" x 65536'`

usage: sudoedit [-AknS] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...

Crypto Monad

Re: How is this possible?

Still vulnerable even with security update 2021-001 applied:

$ /tmp/sudoedit -s '\' `perl -e 'print "A" x 65536'`

Segmentation fault: 11

Crypto Monad

Re: How is this possible?

[this is macOS 10.14.6 with security update 2020-007]

MacBook-Pro-4:~ $ ln -s /usr/bin/sudo /tmp/sudoedit

MacBook-Pro-4:~ $ /tmp/sudoedit -s /


sudoedit: /: not a regular file

MacBook-Pro-4:~ $ /tmp/sudoedit -s '\' `perl -e 'print "A" x 65536'`

Segmentation fault: 11

So in short, macOS apparently is vulnerable, but it's partially mitigated because it checks the password earlier in the process (so you need to know the local account password).

Oracle sweetens Java SE subscriptions with a spoonful of free ‘GraalVM’ runtime said to significantly speed Java

Crypto Monad

Re: This is Oracle.

Java SE is not free - it has a commercial licence that "permits personal use, development, testing, prototyping, demonstrating and some other uses at no cost."

This article is muddying the water.

If GraalVM requires Java SE, then it's not free. But if GraalVM is GPL and runs independently of Java SE, then saying that "might just give those users and developers an on-ramp that keeps Java SE relevant" makes no sense.

Microsoft's Extensible Storage Engine (JET Blue) source code arrives on GitHub – sadly comments not included

Crypto Monad

Re: A compound application - or named after one?

FWIW, JetBlue is also a major budget airline in the US.


Firefox 85 crumbles cache-abusing supercookies with potent partitioning powers

Crypto Monad

This issue is not so much about caching of HTML pages themselves, but of the assets referenced within them - images, CSS stylesheets, Javascript etc.

Even when fetching over HTTPS, I doubt your browser refetches *all* the assets for a page for every page view. For many sites that would be multiple megabytes per view; you'd certainly notice it.

The problem described in the article is when two separate websites (site1 and site2) both reference an asset at the same URL, e.g. img src="https://example.com/foo.png". Colluding sites could generate an image (or stylesheet etc) dynamically, and then check its content. The solution in Firefox is to have separate caches when browsing site1 and site2.

Apple emits emergency iOS security updates while warning holes may have been exploited in wild by hackers

Crypto Monad

And just like that, Amazon Web Services forked Elasticsearch, Kibana. Was that part of the plan, Elastic?

Crypto Monad

Re: Bad optics

Not "technically": AWS genuinely has done the right thing here.

AWS runs (and sells) Elasticsearch as a service. It also contributes its improvements back upstream. Via OpenDistro it also contributed further functionality, some of which was only otherwise available as paid-for add-ons (e.g. alerting).

Elastic.co didn't want AWS's software contributions. It wanted their money.

AWS won't be held over a barrel by Elastic.co. Open source software without license fees is what allows AWS to scale up and up and up. This applies to their whole stack, from the Linux kernel upwards. At their scale, it's cheaper for them to employ their own software engineers rather than pay licences, in the same way that it's cheaper to build their own servers than buy from Dell or HP.

In itself this makes no difference to Elastic.co, since they were never going to see any money from AWS anyway. What they now risk is that all the other unpaid community developers will jump ship to the AWS fork - and that their future potential customers may pick this one too. Elastic will have to make its value proposition the support services which come from buying a commercial partner - which they could have done all along.

IMO, the open source community has *gained* a new product champion for Elasticsearch in AWS. We all know AWS's business model doesn't include selling software licences, so there's no risk that AWS will pull the same trick as Elastic.co. There is a potential risk that they will steer it in the direction of their own interests, but since their own interests include deploying Elasticsearch at massive scale with high reliability, that's likely to coincide with the community's interests too.

Aside: Elastic.co no doubt noticed that AWS sells services with built-in licence fees for Windows and SQL Server and VMware and Oracle, and hoped AWS would do the same for them. That ain't going to happen. AWS resell those particular pieces of software, not because they can't write their own database or virtualization layer (they have!!), but because a subset of customers insist on running those exact pieces of software. And crucially, those pieces of software have been closed-source and commercial from day one, so there's nothing to fork.

EDIT: it's also worth noting that in keeping Elasticsearch development fully open source, AWS is helping *its own competitors* - both the other big cloud providers, and the more specialised Elasticsearch service providers. AWS don't mind. They continue to compete on reliability, breadth, and price.

Give 'em SSPL, says Elastic. No thanks, say critics: 'Doubling down on open' not open at all

Crypto Monad

Re: It's your cash they're after

But how is this different to all the things running underneath Elasticsearch: the Linux kernel, GNU utilities, the OpenJDK JVM, and libraries?

You can build a cloud service around all of these things without open-sourcing your special sauce. What makes Elasticsearch think it deserves to be treated differently?

AWS here are the good guys. They took the Apache 2.0 distribution of Elasticsearch, enhanced it with components which normally you'd have to pay elastic.co for (e.g. alerting), and then released it back to the world under Apache 2.0. It seems to me that elastic.co cares less about people "contributing back" code, than getting their cash.

On the other side, from AWS' point of view, I can understand that it makes no sense to buy a licence at their scale. Even if they negotiated favourable terms for now, it would leave them exposed to huge price hikes in the future.

Crypto Monad

It's your cash they're after

The code which was previously released under Apache 2.0 is now being released under two licences instead: the Elastic Licence and the SSPL.

The Elastic Licence is highly restrictive. It says you can use (but not distribute) the binaries, and only for certain purposes. You can look at the source code, but you can't use it: even if you build your own binaries from source, you can "use the resulting object code only for reasonable testing purposes". Essentially it's a full-blown commercial licence, where the cost for some uses of the software is zero.

The SSPL is less restrictive, allowing you to distribute and modify binaries and source. However if you provide Elasticsearch as part of a cloud offering under this licence, you must then release the source to your *entire* cloud environment, such that someone else could replicate the entire cloud. As such, it becomes a huge risk to any SaaS operator to use Elasticsearch anywhere in their infrastructure under these terms.

Of course, you can buy your way out of the risk by paying a licence to elastic.co. But why do that for Elasticsearch, and not for all the other myriad open source components you rely on in your infrastructure?

I think it's disingenuous for elastic.co to argue that cloud users haven't been contributing back source code patches. Nobody wants to maintain their own private fork - everyone wants their enhancements to be merged upstream to avoid the burden of carrying them forward. Look at Red Hat's contributions to Linux.

The reality is, elastic.co is more interested in getting your cash than your patches.

Another Rust-y OS: Theseus joins Redox in pursuit of safer, more resilient systems

Crypto Monad

Re: Static Analysis, Strong Typing, Robust Software Engineering / Algol, Pascal, Modula, Ada, Rust

Memory safety is one class of security problems, and there are tools to deal with them. However, many security issues stem from higher layers - SQL injection and CSRF are just two examples.

Put it another way: PHP is a memory-safe environment, but I think you'd be hard pressed to claim that everything written in PHP is secure :-)

The programmer's mindset and approach are far more important. Treat software engineering as a branch of *engineering*.

Crypto Monad

Re: Rust is the future

I think you are making contradictory points there. C is, to all intents and purposes, portable assembly language. It exposes all the fundamental underlying architectural things: pointers, integer overflow etc. Issues around memory management and buffer overruns are the same whether you write in C or assembly.

The only real difference is that if you write in C, then your code gets to run on more processors. A modern compiler can pick a more efficient set of assembly instructions than a human can.

Aside: my first computer had 1KiB of EPROM and 128 bytes of RAM, later expanded to 4KiB. Having an *assembler* was a huge upgrade from writing directly in hex :-)

Apple reportedly planning to revive the MagSafe charging standard with the next lot of MacBook Pros

Crypto Monad

Re: Hooray!

There was an official Apple Magsafe airline adapter - I know because I got one. However, the only place I came across a compatible airline power socket was in older BA 747's in Premium Economy. I did get to use it a few times: IIRC, it was able to power the laptop, but for some reason wouldn't charge it.

Backers of Planet Computers' Astro Slide 5G phone furious after shock specs downgrade

Crypto Monad

Re: Peak Planet

I'm glad you're happy with yours running Sailfish, but I run Android on my Gemini (for various reasons), and it hasn't had an update since 2018.

Failure to support existing users with updates is why I wouldn't touch PlanetCom again.



Biting the hand that feeds IT © 1998–2021