Posts by NullNix

Re: A self-defeating approach?

It's commonplace. Most banks have *ancient* systems, and this is just one of many ways that shows.

If you want ridiculous, until last year the Coventry had a scheme where you had an eight-char password, uppercase alphanumerics only, changeable on request -- they posted you a form with eight boxes in it which you filled out and posted back, and then a few days later the password was changed. This was obviously grossly insecure so they pasted other security challenges over the top of it over time (and lately have replaced it entirely).

I bet this is because the password in question was an actual mainframe account password of some sort, changeable only from an operator console. It had that smell. (This year, they changed to allowing really long passwords, and better yet passwords with no stupid restrictions on what characters must be present, so I can just use the result of a yubikey's HMAC-SHA1 challenge-response as the password. Finally.)

Re: Wang Care

Not just American companies. None other than the great Jack Vance, perhaps one of the finest wordsmiths then alive, wrote a book titled _Servants of the Wankh_, silent h and all. Admittedly, he wanted the book's title to be different, but the Wankh *were* a pivotal species in the book and he definitely didn't see anything wrong with their name. Many years later he renamed them to the 'Wannek' after being told what 'wank' meant in Britain.

If Vance didn't know... it's safe to say that next to nobody in the US did other than immigrants from countries speaking British English variants, at least not a few decades back.

Re: She doesn't test her software and there's data corruption

Back when I was working for excessively boring bottom-of-the-barrel no-name City firms... well, one of them decided to make a superhero graphic novel. Because *obviously* wrestling with databases is *just like* causing massive property damage in the streets of Manhattan.

Somewhere, some poor sod had to draw multiple frames of a character in a superhero costume... sitting at a keyboard doing electronic stock trading. HEROIC!

Re: Alternativly

Dave is the guy who has to deal with the integration problems this sort of throw-it-over-the-wall no-external-contributions code implies. It's a hell of a lot more work than it would otherwise be (and I can say this as someone who's been on both sides of that fence, both throwing code over the wall in a project my then bosses didn't allow me to open, and trying to integrate another such project with a larger system, which was much like trying to get blood out of a stone only less pleasant).

This isn't dogmatism, it's common sense.

Re: Then there's running an X session remotely.....

Apparently 'waypipe' is supposed to be able to do this. I mean yes it works by throwing bitmaps around, but in practice so does most X work now. (Except Emacs, which is probably a major reason to keep XWayland around. XWayland doesn't work with everything, but Emacs doesn't use the modern stuff like systrays etc that XWayland doesn't like, so you should be OK.)

But then what was the thing being "made redundant by chipmakers"? As far as I can tell the only possible answer to this is "nothing": segment overrides still exist and still work just as well as they did last year. This change is not being implemented because of changes from "chipmakers" (Intel? AMD? the RISC-V Foundation? At this point it could be anyone).

The article is more than half nonsense.

Re: Linux kernel

Can't do that. Real users might have used touch to set file times to any date in the currently-valid range, so we have to expand the range in a compatible fashion, not just slide it along. (Sure, maybe you could say "bugger any users doing such crazy things", but that's the difference between a hobby filesystem and a bulletproof one. :) )

There are also (mostly-invisible) timestamps in places like the quota format that needed handling (that one was handled by reducing its precision by a factor of four, quadrupling its range with almost certainly zero visible impact on any users ever).

Re: Two questions

Some versions of Android at least log when apps ask for location, and how finegrained it is. I have not (yet!) observed the NHS app making any such queries, and the source doesn't do any that I can see.

Re: That's downright cheap!

I didn't say you couldn't get mechanical keyboards: I said they weren't going to be cheap. This is not a bad thing, as you still save money in the end because the thing'll take many times longer to wear out than a cheap keyboard would. It's Vimes's "Boots" theory of socio-economic unfairness applied to keyboards.

(Ergonomic *everything* is much more expensive. It doesn't matter: my trusty Maltron might cost a lot but I bought it in the early 2000s, have used it to the exclusion of everything else, and it still works. The keyswitches wore out once and were replaced: doing the replacement cost about £70, and was worth every penny. It *is* important that you have a method in place to avoid the possibility of ever spilling anything on the keyboard!)

Re: So?

> 27,000 lines of code isn't really that much, its a substantial chunk but it should break down into components that can be individually reviewed and tested.

Yes, and doing that was Paragon's job, not the reviewer's. It's not like it's hard to split a huge ugly pile of work into neat commits. Picking an example totally at random because it's one I'm familiar with: it's not quite as big perhaps, but I did that for 10,000-odd lines of work just last month, originally in perhaps 250 completely unreviewable use-git-as-a-backup-system commits with commit log messages reading things like "fix the fix" and "giant pile of unsplit work" (https://sourceware.org/pipermail/binutils/2020-June/112012.html). It took perhaps two days to split up six months or so of work.

If you can't be bothered to do even that much to make your code easier to follow, I don't think it says much about your likely long-term commitment to the contribution or about your consideration for the maintainer you're dumping this stuff on.

Re: Get Root?

Not that I can see, which makes this whole thing a panic over nothing. Yes, if you run malicious code as root it *can* persist itself. This is nothing new. Don't run malicious code as root. (And keep your machine as safe as possible from holes that allow unprivileged users or network daemons to escalate to root.)

(Secure Boot only saves the boot process and firmware, anyway -- it won't save you from things that persist in network card firmware, disk controller firmware etc. Like, oh, the NSA uses, and since they do I'm sure the Russians can deploy that real soon now as well. Again, just don't run it as root and you're safe.)

Re: Alternatives?

Yeah. I will admit I don't understand people who say they do a lot of typing and then insist on buying a cheap keyboard. If you do a lot of typing the keyboard is critical equipment, and it's critical stuff that your hands hit a lot. That means it's also health-critical. Why would you *not* spend a reasonable sum on something like that? Why aim for the cheapest thing you possibly can? I am mystified.

Also... if you buy a keyboard with good switches -- which means expense, I'm sorry -- you can expect it to not fail for decades. The Cherry keyswitches I'm using in the keyboard here did need replacement, but that was after *twenty years of continuous use*, and the thing about a keyboard that costs a lot is that if the vendor is still going after that long they'll probably be happy to replace the switches for you for less than the cost of a replacement keyboard.

Cheaper keyboards wear out much faster, and are nastier to type on as well.

Re: "Another bemoaned the hammering of yet another nail in the coffin of Blighty's ISP past"

So, how does "ten addresses" compare to "infinite addresses and you can run your own mailserver, in fact you have to, here's one we configured for you: all the configurability you could possibly want"

Really worth moaning about (not that any of that good stuff survived the Vodaphony takeover).

Re: Just a guess, TTL timing?

Similar example on the C64, which came directly down to driving the DRAM out of spec. This one wasn't diagnosed until a few years ago, and was of course first shown as a demoscene scroller with appropriate freshly-composed music.

Re: When people talk about the abuse of petty authority I ask

Oh come on she wasn't selected on that basis. She was selected on the basis of being pro-Brexit, just like everyone else in Cabinet. She just happens to combine that with being so right-wing that she makes Rees-Mogg look like Neil Kinnock, so short-tempered that she makes our recently-ex Speaker look like the kindest person who ever was, and "as thick as mince" (and that was from one of her *supporters*, off the record).

However, she didn't manage the biggest own-goal of this Cabinet so far, infecting half of it with SARS-CoV-2. That was probably Nadine Dorries' doing -- and that's another sign of a terrible low-competence cabinet: why the hell is she a health minister, even a lowly one? her only interest in public health historically has been to use every possible opportunity to try to ban abortion, even though doing so is *massively* unpopular in the UK outside Northern Ireland and would get any government that tried to do it turned out on its ear. Answer: she's pro-Brexit and they long ago run out of *competent* pro-Brexiteers, given that in order to be an enthusiastic Brexiteer you more or less have to be incapable of foresight or know nothing whatsoever about international trade while imagining that you know a lot.

Unfortunately Brexit is now an irrelevant sideshow and the Tory party is getting a sudden rude reminder of what sorts of threats the protective function of government is actually meant to protect us from, and it's not metric measurements.

Re: Read the PDFs

A horrific disease happened to it. Panic if you can't stay indoors and away from anyone (who cannot also do that themselves) is *rational* when faced with something that spreads more easily than flu and hospitalizes a high proportion of those it infects -- and even if you survive that, the experience is reportedly horrible. Going on a ventilator is not an easy thing: it takes months to recover and often causes permanent damage. COVID-19 may well also cause permanent damage to the heart, liver, and kidneys. Being extremely worried seems sensible to me.

Incurable diseases with consequences like this are beyond the memory of almost everyone now living in the western world. Of *course* people are panicking.

Re: Assume the Conclusion

Well, he's right-ish. 5G towers don't *just* have 5G on them: some of them will also contain the 4G for the area too. Burn them down and you will (if you pick the wrong/right tower) lose mobile coverage completely. The emergency services *do* rely on that, as do people making 999 calls. *National* security, perhaps not, but local safety? Sure.

Re: If you store your project code on an online repository...

If you store your source code in an online repository, don't have an up to date local backup, *and are using git*, I don't know *what* you're doing, because all your local copies must be shallow clones -- are you *that* short of disk space?

It takes real effort to avoid having a local backup with git (which is why github is more or less dispensable to many of us oldtimers who prefer email: git gives you all the code hosting stuff in every local repo :) )

Re: It's all very fascinating

You always have at least two keys (in different places), and register both of them with everything. If you don't, you will sooner or later be regretting it: USB devices don't last forever even if you don't carry them on your keyring. Any site that doesn't allow registration of multiple tokens against a single user identity is arguably broken: don't use it for 2FA unless it provides some sort of fallback (and even then, the fallback serves as a lower-security way in, reducing the security benefits of the key).

(Currently, I have four, but that's more because I lost one and then found it long after, and my then-backup didn't have NFC and I found I needed NFC on at least two of them, than because having that many keys is actually sane.)

Re: A Roger Zelazny reference - Ancient Ore Crusher - bravo!!

Uh... _Comes Now the Power_ was written in 1966. It's a very long way from being out of copyright.

Re: SSH NOT a problem

Also, it doesn't have to get authorized_keys out of the home directory -- and actually if your $HOME is NFS-shared that's a bad idea, because it means an attacker with access to your $HOME on one machine can trivially leverage that into access to all of them.

Instead, use AuthorizedKeysCommand and/or AuthorizedKeysFile in sshd_config to pull your authorized_keys from a central location (it can just be done via curl :) ) which, sure, each user can modify -- but only if they have access to that central location anyway. (Perhaps the fileserver on which all this stuff is stored anyway.)

Re: Another one for the business school training materials

Well, it is a complete transformation! Once-massively-successful company with not much internal friction whose only problem was not much of a business model: now going down the tubes, general laughing stock, unionizations, firings, mass departures, fear and loathing... you can't say it's not transformed. Not a transformation I'd *like*, mind you.

I read them in Private Eye a few years ago, when they recanted their support for the Wakefield MMR thing. (They assumed that the government was lying on this point, as on so many other points in the past -- and for a change their default position of permanent cynicism led them very far astray.)

Re: For all the regex haters out there: Don't forget that machine code is the same

And they're not fixing this by not using regexes: they're fixing this by switching to a NFA-based regex engine, so the nearly-exponential explosion no longer happens. (Instead, you can get an explosion in NFA states, but this is statically detectable at regex compile time rather than stabbing you in the face at runtime without warning. Much better.)

Quite. In particular, the RIDL paper can exfiltrate data you shouldn't have access to even in the absence of hyperthreading. There's a little more noise, but if you have TSX even that is driven down to irrelevantly low levels. (TSX: not so useful for real work, but oh so useful for attackers!)

Re: And another old name is discarded...

Ah yes, Spuddy. Stephen is still around, btw, even if long moved to the US and not running Spuddy as a service for many years :) (the domain is still around, and he still uses it for his email, and there are still some users AIUI, of the personal-friend variety :) ).

(Another ex-Demonite here, esperi.demon.co.uk as was, joined in 1996 I think, via KA9Q at first. Transitioned to Linux after a few years, then migrated to Zetnet in 2003 because Demon was clearly not the wonderful thing it used to be; migrated in fury to AAISP in 2008 after Breathe bought Zetnet and screwed it up so catastrophically that even if you were running your own mailserver and your own MX records they still managed to lose all your mail with no recourse because you couldn't even get back control of your domain: they took an entire month just to let me get out: about what you'd expect of an ISP that bizarrely boasted on its own corporate homepage of how many times they'd gone bankrupt. AAISP at least have proved wonderful for a decade and counting now.)