* Posts by sofaspud

27 posts • joined 9 Jan 2018

Maybe there is hope for 2020: AI that 'predicts criminality' from faces with '80% accuracy, no bias' gets in the sea

sofaspud

Re: Very dodgy subject

I have been told on three separate occasions by different people with no connection to each other that I look like a rapist.

This is oddly specific and fairly distressing and if I knew what was causing it I'd work to change it, because, damn. (*)

Also I'm a fat white dude and on the two occasions I've been out (in my earlier years) with friends and the cops stopped us, I was the only one put in handcuffs while they made sure we weren't doing anything illegal.

(* and here I've been spending all my time trying to cultivate the Evil Santa look! Whatthehell, man.)

Thought you'd addressed those data-leaking Spectre holes on Linux? Guess again. The patches aren't perfect

sofaspud

Re: Remove high accuracy timers?

Now that I could go for -- a setting you can dial in per timer, so if you bork something in your environment -- kill a critical app by mistake -- you can dial it back to the required precision without having to revert the OS to a previous version.

Probably a kernel compile switch. Dynamic settings can potentially be buggered with.

sofaspud

Re: Remove high accuracy timers?

Pff, like I know *specifically* what apps would be affected. I was pointing out the generic class of problem and as I noted, it's impossible to know with certainty what *would* be affected; all we can be certain of is that a lot of widely-divergent code paths *could* be affected because people (rightly or wrongly) use high-precision timers all over the place, for a wide variety of reasons.

As far as "my sql server" goes: you're not wrong, but you're not thinking about it in the right terms if that's your stance. If your server is physically distinct, on your own network, you control all access, etc, then sure, fine, you're right -- this sort of attack isn't really a problem for you and if it becomes one you're already fucked because they already have access to your hardware to pull it off -- and as we all know, if they have access to the hardware, you're fucked.

But that's not the target profile.

This sort of attack is the sort that opens you up to loss because some idiot running alongside your instance in the datacenter wasn't careful and the attacker escaped *their* sandbox, likely using some other exploit, and is now running their own process at the hypervisor layer, and what they're after is the encryption keys (for example) so they can peer into anybody's process space at will. You're probably not being targeted at all. It's a shotgun approach.

So datacenter operators are understandably worried about it. People who operate in the cloud *should* be worried about it, though I don't recommend losing sleep at the moment. Chip manufacturers are sweating bullets about it because they know just how bad it could really be, even if your (bold!) statement about "no single ransomware tied back to meltdown or spectre" holds true. But dedicated-instance operators? Meh. As you note, there are better ways to get you, if that's your setup.

sofaspud

Re: Remove high accuracy timers?

The short answer is no.

Browser makers are able to do that because that level of precision was never part of the design spec and exposes more problems than having it available solves. An actual, functional OS (rather than a JavaScript sandbox) is designed to allow access to that level of accuracy and there's no telling how many crucial bits of code out there rely on it -- everything from sensor monitoring to file access logging to cryptography and beyond may rely on timers that precise, and rounding off could break entire industries.

Nor can you simply enforce any sort of useful gatekeeping around it. You can't say that "only trusted code" gets access to the timers, because malware doesn't respect your rules as-is and there's no effective way to sign all the possible valid apps at this late stage. If it had been baked in from day one, maybe -- but even then it would probably be more hassle than its worth, as high-accuracy timers are not themselves the problem, they're just a means of exploiting it.

Motorola bounds out the G8 with a harder, better, faster smartphone for the thrifty

sofaspud

I bought a G7 Power last year and have been seriously impressed with it. I'm not at all ready to upgrade yet -- the G7 is working just fine, thanks! -- but if I were, the experience I've had with the G7 would absolutely steer me towards a G8.

The "bloatware-free" bit is really the kicker for me. I used to buy Samsung (after I stopped being able to rely on HTC, anyway) and ye gods but Samsung is awful about bloatware. The G7 didn't come with any, that I can think of -- I didn't even have to uninstall Facebook, as it wasn't there to begin with! (My Samsung had it as a system app that I couldn't remove.)

Definitely keeping my eye on these, and I'd love to see a full Reg review. Hopefully they send over a review kit. :)

Maersk prepares to lay off the Maidenhead staffers who rescued it from NotPetya super-pwnage

sofaspud

The problem I have with this is when the role specifically requires someone to be able to think -- and I don't mean the marketing blurb about 'think outside the box' or other crap, I just mean things like actual troubleshooting vs. running down a checklist.

Last time my job went to India, I was a DBA. They brought in two guys in India to cover the other shifts so we'd have full 24/7 coverage, flew them over for me to train them up, the whole nine yards. I could see the writing on the wall and made exit arrangements, but for six months or so I was working with these guys. Except none of them would ever do anything that wasn't on the checklist, and when you're babysitting a random mix of hardware spanning literal decades of age (and I include the OS in that) because management is too cheap to upgrade, not everything you run into will appear on a checklist. And even when it does, you need to figure out which checklist to use.

By the time I left, the India team was up to 8 people to cover the role I'd had, were still not hitting any of the same goals I'd been hitting (audits, DR tests, etc), and were at something like 400% turnover.

But each of them only cost the company a third of my salary! So it was all good! Right?

(For another six months my phone kept ringing because the India team had it as their contact number for when things went south and none of them seemed to understand the phrase "I don't work there any more.")

It's Terpin time: Bloke who was SIM jacked twice by Bitcoin thieves gets green light to sue telco for millions

sofaspud

T-Mobile in the US was... significantly different.

My friend had gotten a new phone and it needed a new SIM. His old phone was deader than a doornail (hence him getting a new one). He wasn't able to get the new SIM arranged because the online portal wanted him to confirm with his existing phone.

So I called in to the phone folks, talked to a bored-sounding lady with an accent I couldn't place, told her "sorry, can't verify the text because the phone is smashed" and with no confirmation of anything beyond the old phone number (!!) got a new SIM issued. To a different address than he had on file, because he'd never bothered updating them when he moved and he was on autopay and emailed statements anyway.

I didn't even have to dust off any 'social engineering' skills from my younger, more troublesome days. The state of security at telcos is just sad.

You want a Y2K crash? FINE! Here's a poorly computer

sofaspud

Re: Won't Happen...

This. This right here.

I was a consultant during Y2K and we busted our asses getting dozens of clients ready. Every single one of them made it through with no problems. We were called in after the fact to several more to clean up the problems that Y2K had caused that they hadn't shelled out ahead of time for us to fix.

Meanwhile, our internal systems had a few problems, because the PHB had decreed that internal maintenance was not billable hours and therefore it only happened when we had no clients we could bill. But nothing terribly serious. Our PBX was the biggest nuisance and all it meant was that we couldn't use voicemail for a couple days.

Fast forward to the beginning of February -- NET 30 DAYS, sayeth the invoices, but nobody ever paid before 60 -- and most of those clients were calling the PHB to complain about the bill. *Obviously* Y2K had been overhyped and the expenditure hadn't really been necessary, we were clearly just trying to pad our wallets at our hard-suffering client's expense, etc.

After all that finally died down, the PHB declared that "any future Y2K work will be paid in advance".

I wish I were joking.

BOFH: When was the last time someone said these exact words to you: You are the sunshine of my life?

sofaspud

Re: "Instant reaction" surveys

That reminds me of a former employer where management removed the coffeepots (claiming fire hazard), and then removed one of the refrigerators in the break room to make space for a coffee/hot drinks vending machine.

At $0.25/cup. And the brew tasted like Satan's urine filtered through sawdust.

The howls of outrage didn't *really* begin until we peons discovered that the director had a family business installing, stocking, and maintaining vending machines.

Morale was already pretty bad but that was where I learned things can always get worse.

BOFH: You brought nothing to the party but a six-pack of regret

sofaspud

Re: Learnings

I didn't realize it was an Americanism -- I rather thought it was from the other side of the pond, because absolutely *nobody* I know uses it (I'm American).

Alphabet's 'love rat' legal chief David Drummond ejects after 18 years at web goliath, no golden parachute attached

sofaspud

Re: Or Brooks, "It's good to be the king."

I mean, technically, my personal life is none of my employer's business. But right there in the handbook it states that I should remember that my interactions with the public, outside of work or not, reflect upon the company.

This has been true of every professional workplace I've been part of, and especially for higher-level employees is something that's understood by both sides before you accept the position. So I don't think it's unreasonable for a company to request that a high-level employee -- an exec, especially! -- behave in a socially-acceptable and responsible manner.

I mean, sure, as far as the company is concerned, it's all about manipulating public image. But at the same time, asshats won't learn if they don't suffer for their asshattery, so in this sort of situation, my desires (fewer asshats in the world) and the company's desires (look good to the public) coincide. Much as I might dislike the company in question -- in this specific case or in general.

I might have a different opinion if I turn out to be one of the asshats but perhaps fortunately I have yet to be given keys to the fancy toilets and so haven't had the opportunity to demonstrate my lack of judgment. :)

What if everyone just said 'Nah' to tracking?

sofaspud

Re: But How ?

If you're running an Android phone, DNS66 is what I've been using and been quite happy with. It routes all your phone traffic through a VPN hosted by your phone that blackholes all requests to analytics/tracking domains. (You can turn this off for individual apps as desired)

As a very nice side benefit, my data usage has dropped enormously since I started using it. Never quite realized how much slurpage was going on behind the scenes until I hooked it up.

Totally Sardonic Bank: Well, it must be, to have a TITSUP* the same week as THAT report

sofaspud

American here.

I don't know about the 'dishonest' part, but when we overdraft we usually get dinged for an extra $30 or thereabouts on top of the transaction amount -- and that's per-transaction, not just a one-time fee for going over.

Those add up *fast*.

Not sure if that's how it works in other countries.

(Let's not even get into banks selling what they call "overdraft protection" which does not do what it says on the tin but rather, for a flat fee, means they charge you a little less when you overdraft.)

London cops seeking £600m mega IT contract to knock 'towers' sprawl into 'one throat to choke'

sofaspud
Thumb Up

Re: Muiscal chairs

"The fact that it may appear to the uninformed eye like Plan A is just an error on your part; if you were better informed you wouldn't be looking at it so critically."

That is beautiful. There's no clapping icon so have a thumbs-up instead.

Ex from Hell gets six years for online stalking and revenge pics rampage at two women

sofaspud
Joke

Re: My guess, he's lucky to be alive

Wait, wait wait wait.

Passport photos have to be nudes now?

Man, that's gotta be awkward. Not all of us are model-quality.

Hey, I wrote this neat little program for you guys called the IMAC User Notification Tool

sofaspud

Amusement where I can

I currently work in the financial services industry and, in case you weren't aware, they generally have about as much of a sense of humor as your average pet rock.

There's a department here that has a long, ongoing project with the initials 'P' and 'S'. It's the P & S Project.

Or as it invariably gets slurred, the PnS Project. And just as often, shorthanded as just "PnS".

I swear I'm going to get fired one of these days when I'm too tired to keep a straight face as the VIP drones on about the size and scope of the PnS.

When the satellite network has literally gone glacial, it's vital you snow your enemy

sofaspud

Re: Battleship!

Back when I was a shaggy-haired teenager, I had a job delivering electronics for a local repair shop. Picking up broken crap to be fixed (TVs, VCRs, etc) and dropping off repaired items for "high-value customers".

Customers like an officer at the local airbase.

So I pull up to the guard post in my shitty Ford Tempo, backseat and trunk crammed full of electronic odds and ends, and the soldier on duty takes one look in the backseat and tells me to step out while they investigate my vehicle. Guns were not -- quite -- pointed at me, but there was a lot of tension, you might say.

A couple hours later my car has been disassembled and is sitting in pieces while they discuss what to do, when the officer who I was supposed to deliver to pulls up wanting to know where the hell his delivery is.

"Delivery?" says the guard.

"That's me!" says I, and point at one of the VCRs with a service tag attached.

To be fair, it took the motor pool less time to reassemble my car than it had taken to disassemble it in the first place.

These days I imagine they'd just blow it up (quite possibly with me in it), but back then things were a bit more relaxed.

Every dog has its day – and this one belongs to Boston Dynamic's four-legged good boy Spot

sofaspud

Re: Alternatively...

While true, you're forgetting the waste disposal requirements that come along with Live Dogs. A single Live Dog with the 10kg carrying capacity frame will produce significant waste product on a daily basis, and requires ready access to both H2O and other organic compounds as fuel.

RoboDog, on the other hand, just plugs into your outlet, and produces no waste requiring disposal.

We do not recommend plugging a Live Dog into your electrical outlet. You will void the warranty at the very least.

City-obliterating asteroid screamed past Earth the other night – and boffins only clocked it just 26 hours beforehand

sofaspud

Re: Not very reassuring, is it

It's not bogus, it's just math.

I'm not a mathematician (or statistician) but my job does involve a large amount of working with statistics. In a layman's-terms nutshell:

Say you have a big bag of things -- marbles or whatever. Doesn't matter what they are, what matters is that each one is individual -- unique -- and your job is to record them. You don't know how many are in the bag to start with, and because your boss is a jerk, you're only allowed to reach into the bag, grab one at random, record it, and put it back afterwards, and then start the process over again.

So you've been at this for a while, and at first every one you grabbed was new. Then over time, you started seeing ones that you'd already recorded. Eventually, you reach a point where nine out of ten times you reach into the bag, you're finding one you've already seen.

At that point you're pretty safe to say that you've seen 90% of the marbles in that bag, and you can even make a decent estimate about how many there are, even though you haven't counted them all yet.

Bad news: Earth is not going to be walloped by asteroid 2006 QV89. Good news: Boffins have lost sight of it, so all hope is not yet lost

sofaspud

I bet Ol' Musky's car took care of it for us. Autopilot's awfully good at hitting things, after all.

Dear El Reg, Will Windows 10 break my VPN? I read it on the web so it must be true

sofaspud

Re: "on devices [...]"

Yeah, in reading the Official Microsoft Workaround for this issue, it sure scans to me like you have to turn telemetry on for RASMAN to work again.

https://support.microsoft.com/en-au/help/4501375/windows-10-update-kb4501375

Cranky and cynical as I am, I still manage to raise an eyebrow at this one. The only scenarios I can think of for how a bug of this class could have happened suggest that coding skill over at MS has declined even further than I thought -- and that was already pretty low.

Stop using that MacBook Pro RIGHT NOW, says Uncle Sam: Loyalists suffer burns, smoke inhalation and worse – those crappy keyboards

sofaspud

Re: Customer service?

If that's a Subaru Legacy you're referring to there, the trick I've found for headlamp replacement is to go in through the wheel well.

Which should not, repeat not not not, be necessary, mind you, but there it is.

I bought a pack of those little plastic pressure clips to reattach the wheel well cover, rather than trying to re-use the existing ones, and I can replace the headlamps in about 5 minutes these days. Seriously, though, you should not have to do this, there's no reason other than laziness in design (or protecting dealership mechanics) why you shouldn't be able to access the back of the lamp shrouds by just lifting the hood.

Overzealous n00b takes out point-of-sale terminals across the UK on a Saturday afternoon

sofaspud
Pint

Re: You should have been sacked

Grrr. Your example is something I see *every day*, because so-called 'programmers' stopped bothering to learn how the platform they were writing on actually works and instead rely on their favorite library-of-the-day to just make it all work.

Guess I shouldn't complain too much -- if they'd do it right I'd not have the job -- but there are days I could do with less mess to clean up.

But what do I know. I've only been doing this stuff for going on 30 years. THEY have DEGREES.

Hams try to re-carve the amateur radio spectrum in fight over open or encoded transmissions

sofaspud
Thumb Up

Re: Don't make laws that can't be enforced.

Thank you for offering a valid reason why emergency comms should be encrypted. I've been trying to puzzle out what possible use secrecy in an emergency could have and clearly I'm a bit on the dim side.

Meizu ditched hole-free phone because it was 'just the marketing team messing about', not because no one really gave a toss

sofaspud

Re: Deal...

I used to think this myself, but then discovered that my wife has been video chatting with our 5-year-old niece while away on business trips. Both of them love it.

I have perforce been overruled and all future phones we get will have front-facing cameras.

(Can't say I'm too miffed about it, at least they're not using it for selfies, I suppose.)

Google asked to take down 2.4 MEEELLION URLs under EU law

sofaspud

Re: This protection is good, but...

While you're not wrong, protecting yourself only goes so far. When my idiot brother plonks my personal info all over Facetwit, that's not a mistake I made* but it's still my mess to clean up.

(* it could be argued that it's a mistake my parents made...)

I mean, I'm screwed anyway because I'm in the U.S., but still, it's not quite as black-and-white as all that.

Meltdown, Spectre bug patch slowdown gets real – and what you can do about it

sofaspud

Say you've got yourself a datacenter running multiple VMs for who-knows-how-many clients. How much do you want to bet on all of them being completely perfect in adhering to security protocols?

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020