* Posts by NullNix

44 posts • joined 12 Jan 2019

Passwords begone: GitHub will ban them next year for authenticating Git operations

NullNix

Re: A self-defeating approach?

It's commonplace. Most banks have *ancient* systems, and this is just one of many ways that shows.

If you want ridiculous, until last year the Coventry had a scheme where you had an eight-char password, uppercase alphanumerics only, changeable on request -- they posted you a form with eight boxes in it which you filled out and posted back, and then a few days later the password was changed. This was obviously grossly insecure so they pasted other security challenges over the top of it over time (and lately have replaced it entirely).

I bet this is because the password in question was an actual mainframe account password of some sort, changeable only from an operator console. It had that smell. (This year, they changed to allowing really long passwords, and better yet passwords with no stupid restrictions on what characters must be present, so I can just use the result of a yubikey's HMAC-SHA1 challenge-response as the password. Finally.)

NullNix

I'd bet that SSH keys will stick around, simply because they are ubiquitous in git usage and definitely not insecure -- but I suspect they'll start encouraging "sk"-format keys stored on U2F hardware tokens sooner or later, to prevent attackers stealing keys off client disks or out of client memory. (SK keys are new in OpenSSH 8.2+: it's the only hardware token mechanism I've ever found to be in any way usable. As long as both client and server are new enough -- a requirement, since this is a new key type -- I've found it as reliable as ordinary on-disk keys, something I could never have said of the old CCID-backed PIV or GPG-based nightmares.)

Who knew that hosing a table with copious amounts of cubic metres would trip adult filters?

NullNix

Re: Wang Care

Not just American companies. None other than the great Jack Vance, perhaps one of the finest wordsmiths then alive, wrote a book titled _Servants of the Wankh_, silent h and all. Admittedly, he wanted the book's title to be different, but the Wankh *were* a pivotal species in the book and he definitely didn't see anything wrong with their name. Many years later he renamed them to the 'Wannek' after being told what 'wank' meant in Britain.

If Vance didn't know... it's safe to say that next to nobody in the US did other than immigrants from countries speaking British English variants, at least not a few decades back.

MongoDB loses its mind with marketing budget movie mania: Yep, it's choose-your-own-adventure Hackers with drop-down menus

NullNix

Re: She doesn't test her software and there's data corruption

Back when I was working for excessively boring bottom-of-the-barrel no-name City firms... well, one of them decided to make a superhero graphic novel. Because *obviously* wrestling with databases is *just like* causing massive property damage in the streets of Manhattan.

Somewhere, some poor sod had to draw multiple frames of a character in a superhero costume... sitting at a keyboard doing electronic stock trading. HEROIC!

Here's a little Intel: Beware of Linux graphics vendors bearing gifts of shared code – open-sourcer

NullNix

Re: Alternativly

Dave is the guy who has to deal with the integration problems this sort of throw-it-over-the-wall no-external-contributions code implies. It's a hell of a lot more work than it would otherwise be (and I can say this as someone who's been on both sides of that fence, both throwing code over the wall in a project my then bosses didn't allow me to open, and trying to integrate another such project with a larger system, which was much like trying to get blood out of a stone only less pleasant).

This isn't dogmatism, it's common sense.

Why, yes, you can register an XSS attack as a UK company name. How do we know that? Someone actually did it

NullNix

So I saw the 'crappy company name' and had a look. Registered in Bracknell, oh, wait, this is RevK isn't it? Look over at 'People', and yes, it is.

See https://twitter.com/TheRealRevK/status/1319869941819101186

X.Org is now pretty much an ex-org: Maintainer declares the open-source windowing system largely abandoned

NullNix

Re: Then there's running an X session remotely.....

Apparently 'waypipe' is supposed to be able to do this. I mean yes it works by throwing bitmaps around, but in practice so does most X work now. (Except Emacs, which is probably a major reason to keep XWayland around. XWayland doesn't work with everything, but Emacs doesn't use the modern stuff like systrays etc that XWayland doesn't like, so you should be OK.)

Linus Torvalds hails 'historic' Linux 5.10 for ditching defunct addressing artefact

NullNix

But then what was the thing being "made redundant by chipmakers"? As far as I can tell the only possible answer to this is "nothing": segment overrides still exist and still work just as well as they did last year. This change is not being implemented because of changes from "chipmakers" (Intel? AMD? the RISC-V Foundation? At this point it could be anyone).

The article is more than half nonsense.

NullNix

But in that case the article makes no sense! Linux never *used* 286 protected mode: 286 protected mode is not "being removed by chipmakers" but rather (depending on your viewpoint) either is still here

or ceased to exist as soon as the 386 came along (386 protected mode is a strict superset except for 286 LOADALL, which was never documented). 386 protected mode is also not being removed, not for a very long time. Segment prefix overrides, ditto (heck, gas just had a bug fixed with regard to segment override printing), though many overrides do nothing in long mode.

Regardless, Linux never worked on the 286 in any case.

So... nothing has been "made redundant by chipmakers", this change has little or nothing to do with the 286 (on which %fs never existed, so set_fs obviously never worked there even back in the days when it used %fs)... and set_fs being removed is a purely kernel-internal thing that has no relationship with anything being made obsolete by Intel... or whichever "chipmaker" is being vaguely alluded to here. It stopped using the %fs register ages ago, but that doesn't mean %fs has been removed, just that this particular use for it has gone away. (It is in the ABI. It cannot be removed without breaking every program that uses thread-local storage. %fs is forever.)

My impression of an article written by someone who didn't know what he was talking about persists.

NullNix

Re: RISC OS did this in the 1980s

The 64-bit time_t stuff has been landing for many releases now, and time_t has always been 64-bit on 64-bit platforms. This is all filesystem work, which is much harder because the data is persistent and people like not to lose it. In this case, XFS format v5 is gaining 64-bit stuff for filesystem timestamps, in a backwardly-compatible way that does not require a mkfs: that's all. (Bear in mind that the original XFS is a child of the early 90s, so not all that much newer than RISC OS.)

NullNix

This article almost entirely wrong, to the point that I wonder whether the author has done any research whatsoever or knows anything at all about the x86, even the names of the registers in its register file.

%fs and %gs originated with the 386, not the 286, as ten seconds research would show. As Linus himself said in the very announcement you link to, the kernel hasn't used %fs to point to user memory since sometime before the start of git history, and it certainly hasn't been 'made redundant by chipmakers': %fs and %gs are the only two segment registers that are still useful in x86_64 long mode, and indeed the kernel still uses them, as does userspace.

It's just that the kernel no longer uses a function call that happens to still be called set_fs() (for purely historical reasons) to address userspace memory while in kernel mode, that's all. (Instead this security-sensitive thing is now done at the lowest possible level, in the smallest possible number of places, in the access primitives themselves, not scattered across all the individual drivers that do the accesses.)

Linux 5.10 to make Year 2038 problem the Year 2486 problem

NullNix

Re: Linux kernel

Can't do that. Real users might have used touch to set file times to any date in the currently-valid range, so we have to expand the range in a compatible fashion, not just slide it along. (Sure, maybe you could say "bugger any users doing such crazy things", but that's the difference between a hobby filesystem and a bulletproof one. :) )

There are also (mostly-invisible) timestamps in places like the quota format that needed handling (that one was handled by reducing its precision by a factor of four, quadrupling its range with almost certainly zero visible impact on any users ever).

NullNix

Re: Glad to see the legacy of Silicon Graphics living on

Um... Darrick has been an XFS hacker at Oracle for over five years now. If nearly a thousand commits aren't enough to leach this of its irony, I don't know what is.

NullNix

64-bit time_t on 32-bit platforms is not a thing which has been around for "ages": indeed the user interface (well, programmer interface, like -D_FILE_OFFSET_BITS) for 64-bit time_t on 32-bit was only finalized earlier this year and has basically not trickled out to anyone yet.

The major advantage of this fix is that it can be applied to existing filesystems with a single traversal over the inodes to fix them up. Going to true 64-bit time_t would require a mkfs (which means most systems would never do it).

NHS COVID-19 launch: Risk-scoring algorithm criticised, the downloads, plus public told to 'upgrade their phones'

NullNix

Re: Two questions

Some versions of Android at least log when apps ask for location, and how finegrained it is. I have not (yet!) observed the NHS app making any such queries, and the source doesn't do any that I can see.

NullNix

Re: Small houses

You can turn it off if you're alone at home. (It is probably not wise to do so if you are at home but not alone!)

It's pointlessly annoying to do so on Android (there should be a quick icon to do it, or a home-screen widget, or something, but no it's buried two or three screens deep), but it's doable and takes only a few seconds. Just remember to turn it on again (which is just as annoying).

Das Keyboard 4C TKL: Plucky mechanical contender strikes happy medium between typing feel and clackety-clack joy

NullNix

Re: That's downright cheap!

I didn't say you couldn't get mechanical keyboards: I said they weren't going to be cheap. This is not a bad thing, as you still save money in the end because the thing'll take many times longer to wear out than a cheap keyboard would. It's Vimes's "Boots" theory of socio-economic unfairness applied to keyboards.

(Ergonomic *everything* is much more expensive. It doesn't matter: my trusty Maltron might cost a lot but I bought it in the early 2000s, have used it to the exclusion of everything else, and it still works. The keyswitches wore out once and were replaced: doing the replacement cost about £70, and was worth every penny. It *is* important that you have a method in place to avoid the possibility of ever spilling anything on the keyboard!)

NullNix

That's downright cheap!

You can't get *decent* mechanical keyboards (the sort that'll live for a decade or more) for much less than this is going for. Ergonomic ones routinely cost two or three times as much.

It looks good to me (though I'm not interested in it because RSI means I'm forced to use ludicrously expensive ergonomic keyboards -- and, because spending that much money is a sort of mind control, I'm forced to evangelise them at every possible opportunity too QWERTY SUCKS even when it makes no sense and is SPLIT KEYBOARDS FOREVER obviously shoehorned into the FNORD conversation.)

Linux kernel maintainers tear Paragon a new one after firm submits read-write NTFS driver in 27,000 lines of code

NullNix

Re: So?

> 27,000 lines of code isn't really that much, its a substantial chunk but it should break down into components that can be individually reviewed and tested.

Yes, and doing that was Paragon's job, not the reviewer's. It's not like it's hard to split a huge ugly pile of work into neat commits. Picking an example totally at random because it's one I'm familiar with: it's not quite as big perhaps, but I did that for 10,000-odd lines of work just last month, originally in perhaps 250 completely unreviewable use-git-as-a-backup-system commits with commit log messages reading things like "fix the fix" and "giant pile of unsplit work" (https://sourceware.org/pipermail/binutils/2020-June/112012.html). It took perhaps two days to split up six months or so of work.

If you can't be bothered to do even that much to make your code easier to follow, I don't think it says much about your likely long-term commitment to the contribution or about your consideration for the maintainer you're dumping this stuff on.

This NSA, FBI security advisory has four words you never want to see together: Fancy Bear Linux rootkit

NullNix

Re: Get Root?

Not that I can see, which makes this whole thing a panic over nothing. Yes, if you run malicious code as root it *can* persist itself. This is nothing new. Don't run malicious code as root. (And keep your machine as safe as possible from holes that allow unprivileged users or network daemons to escalate to root.)

(Secure Boot only saves the boot process and firmware, anyway -- it won't save you from things that persist in network card firmware, disk controller firmware etc. Like, oh, the NSA uses, and since they do I'm sure the Russians can deploy that real soon now as well. Again, just don't run it as root and you're safe.)

Soft press keys for locked-down devs: Three new models of old school 60-key Happy Hacking 'board out next month

NullNix

Re: Alternatives?

Yeah. I will admit I don't understand people who say they do a lot of typing and then insist on buying a cheap keyboard. If you do a lot of typing the keyboard is critical equipment, and it's critical stuff that your hands hit a lot. That means it's also health-critical. Why would you *not* spend a reasonable sum on something like that? Why aim for the cheapest thing you possibly can? I am mystified.

Also... if you buy a keyboard with good switches -- which means expense, I'm sorry -- you can expect it to not fail for decades. The Cherry keyswitches I'm using in the keyboard here did need replacement, but that was after *twenty years of continuous use*, and the thing about a keyboard that costs a lot is that if the vendor is still going after that long they'll probably be happy to replace the switches for you for less than the cost of a replacement keyboard.

Cheaper keyboards wear out much faster, and are nastier to type on as well.

Oh Hell. Remember the glory days of Demon Internet? Well, now would be a good time to pick a new email address

NullNix

Re: "Another bemoaned the hammering of yet another nail in the coffin of Blighty's ISP past"

So, how does "ten addresses" compare to "infinite addresses and you can run your own mailserver, in fact you have to, here's one we configured for you: all the configurability you could possibly want"

Really worth moaning about (not that any of that good stuff survived the Vodaphony takeover).

OK brainiacs, we've got an IT cold case for you: Fatal disk errors on an Amiga 4000 with 600MB external SCSI unless the clock app is... just so

NullNix

Re: Just a guess, TTL timing?

Similar example on the C64, which came directly down to driving the DRAM out of spec. This one wasn't diagnosed until a few years ago, and was of course first shown as a demoscene scroller with appropriate freshly-composed music.

Watch out, everyone, here come the Coronavirus Cops, enjoying their little slice of power way too much

NullNix

Re: When people talk about the abuse of petty authority I ask

Oh come on she wasn't selected on that basis. She was selected on the basis of being pro-Brexit, just like everyone else in Cabinet. She just happens to combine that with being so right-wing that she makes Rees-Mogg look like Neil Kinnock, so short-tempered that she makes our recently-ex Speaker look like the kindest person who ever was, and "as thick as mince" (and that was from one of her *supporters*, off the record).

However, she didn't manage the biggest own-goal of this Cabinet so far, infecting half of it with SARS-CoV-2. That was probably Nadine Dorries' doing -- and that's another sign of a terrible low-competence cabinet: why the hell is she a health minister, even a lowly one? her only interest in public health historically has been to use every possible opportunity to try to ban abortion, even though doing so is *massively* unpopular in the UK outside Northern Ireland and would get any government that tried to do it turned out on its ear. Answer: she's pro-Brexit and they long ago run out of *competent* pro-Brexiteers, given that in order to be an enthusiastic Brexiteer you more or less have to be incapable of foresight or know nothing whatsoever about international trade while imagining that you know a lot.

Unfortunately Brexit is now an irrelevant sideshow and the Tory party is getting a sudden rude reminder of what sorts of threats the protective function of government is actually meant to protect us from, and it's not metric measurements.

NullNix

Re: Cambridge Police are too busy with serious crime

They don't even bother to give you a crime number if a car outright demolishes your garden wall. Why not? Traffic accident, no numberplate! Oh yeah because I'm going to stay up in the middle of the night just in case someone demolishes my garden wall at 3am, then somehow catch the numberplate from the ill-lit street (due to council cutbacks in lamppost number of 50% to save money) before the miscreant drives off.

NullNix

Re: Nothing to Heil nothing to Fear.

People with covid coughs are *not* going to be managing to contain all their coughing once the disease gets going. There's just too much of it, in huge horrible spasms minutes long.

UK enters almost-lockdown: Brits urged to keep calm and carry on – as long as it doesn't involve leaving the house

NullNix

Re: Read the PDFs

A horrific disease happened to it. Panic if you can't stay indoors and away from anyone (who cannot also do that themselves) is *rational* when faced with something that spreads more easily than flu and hospitalizes a high proportion of those it infects -- and even if you survive that, the experience is reportedly horrible. Going on a ventilator is not an easy thing: it takes months to recover and often causes permanent damage. COVID-19 may well also cause permanent damage to the heart, liver, and kidneys. Being extremely worried seems sensible to me.

Incurable diseases with consequences like this are beyond the memory of almost everyone now living in the western world. Of *course* people are panicking.

NullNix

Re: And use food delivery services where you can.

Err.. Russia, rationally, humanely run? It's *literally* organized on the principle of "suck up to the boss, you get everything: everyone else gets nothing".

NullNix

Re: "One form of exercise a day"

Full guidance, quite detailed, is here

NullNix

Re: And use food delivery services where you can.”

That's OK: every single UK supermarket has buckled under the load, and is either not accepting new registrations (Sainsburys) or hanging when you try to do it (Waitrose) or not allowing you to buy anything (Tesco) or simply not bothering with a website any more (Ocado). So I guess it's go out and try to pick what food there is off the nearly-bare shelves.

Food markets *are* still open, so those of us lucky enough to live in market towns can still use those as our primary fresh food supply. They seem to be a bit less stricken by panic-buying than the supermarkets.

From Amanda Holden to petrol-filled water guns: It has been a weird week for 5G

NullNix

Re: Assume the Conclusion

Well, he's right-ish. 5G towers don't *just* have 5G on them: some of them will also contain the 4G for the area too. Burn them down and you will (if you pick the wrong/right tower) lose mobile coverage completely. The emergency services *do* rely on that, as do people making 999 calls. *National* security, perhaps not, but local safety? Sure.

Time to svn commit like it's the year 2000: Apache celebrates 20 years of Subversion

NullNix

Without Karl I would be crippled. (But not because of Subversion: because he's one of the very few users of the Maltron keyboard, and back when my RSI started to bite I asked him if it was any good. He said it was. He was quite thoroughly correct.)

One thing Karl has is good taste. The interior of Subversion shows that: it's lovely, enormously extensible, and far more cleanly architected than the interior of Git. However... most of that complexity, in hindsight, is epicyclic: you don't need it if you start from the right place, and in hindsight, Git started from the right place, and Subversion didn't. Of course, Subversion *couldn't* start from the right place, given the design goals, and also one can hardly fault Karl or anyone for not having the insight that led to Git in the first place. You cannot force insights.

Total Inability To Service User Pulls: GitHub wobbles with a good old Thursday TITSUP

NullNix

Re: If you store your project code on an online repository...

If you store your source code in an online repository, don't have an up to date local backup, *and are using git*, I don't know *what* you're doing, because all your local copies must be shallow clones -- are you *that* short of disk space?

It takes real effort to avoid having a local backup with git (which is why github is more or less dispensable to many of us oldtimers who prefer email: git gives you all the code hosting stuff in every local repo :) )

Google's OpenSK lets you BYOSK – burn your own security key

NullNix

Re: It's all very fascinating

You always have at least two keys (in different places), and register both of them with everything. If you don't, you will sooner or later be regretting it: USB devices don't last forever even if you don't carry them on your keyring. Any site that doesn't allow registration of multiple tokens against a single user identity is arguably broken: don't use it for 2FA unless it provides some sort of fallback (and even then, the fallback serves as a lower-security way in, reducing the security benefits of the key).

(Currently, I have four, but that's more because I lost one and then found it long after, and my then-backup didn't have NFC and I found I needed NFC on at least two of them, than because having that many keys is actually sane.)

Ancient Ore Crusher or KillBot 2000? NASA gets ready to pick a name for its Mars 2020 Rover

NullNix

Re: A Roger Zelazny reference - Ancient Ore Crusher - bravo!!

Uh... _Comes Now the Power_ was written in 1966. It's a very long way from being out of copyright.

NullNix

Re: A Roger Zelazny reference - Ancient Ore Crusher - bravo!!

Strongly seconded. Hypnotic, brilliant, and quite entirely unexpected in this position.

This name has my vote. (If it were counted, which it won't be.)

GitLab reset --hard bad1dea: Biz U-turns, unbans office political chat, will vet customers

NullNix

Ah yes, 'clarity'. Because when you completely reverse what you were saying only two days ago after huge controversy, calling the change a mere clarity increase is not going to make you look like a really flagrant liar at all.

(Some people, sheesh.)

The D in Systemd is for Directories: Poettering says his creation will phone /home in future

NullNix

Re: SSH NOT a problem

Also, it doesn't have to get authorized_keys out of the home directory -- and actually if your $HOME is NFS-shared that's a bad idea, because it means an attacker with access to your $HOME on one machine can trivially leverage that into access to all of them.

Instead, use AuthorizedKeysCommand and/or AuthorizedKeysFile in sshd_config to pull your authorized_keys from a central location (it can just be done via curl :) ) which, sure, each user can modify -- but only if they have access to that central location anyway. (Perhaps the fileserver on which all this stuff is stored anyway.)

Hey, NPM. How do you like your Bogensberger? He's, well, done: CEO Bryan ejects from biz

NullNix

Re: Another one for the business school training materials

Well, it is a complete transformation! Once-massively-successful company with not much internal friction whose only problem was not much of a business model: now going down the tubes, general laughing stock, unionizations, firings, mass departures, fear and loathing... you can't say it's not transformed. Not a transformation I'd *like*, mind you.

Stallman's final interview as FSF president: Last week we quizzed him over Microsoft visit. Now he quits top roles amid rape remarks outcry

NullNix

I read them in Private Eye a few years ago, when they recanted their support for the Wakefield MMR thing. (They assumed that the government was lying on this point, as on so many other points in the past -- and for a change their default position of permanent cynicism led them very far astray.)

Cloudflare comes clean on crashing a chunk of the web: How small errors and one tiny bit of code led to a huge mess

NullNix

Re: For all the regex haters out there: Don't forget that machine code is the same

And they're not fixing this by not using regexes: they're fixing this by switching to a NFA-based regex engine, so the nearly-exponential explosion no longer happens. (Instead, you can get an explosion in NFA states, but this is statically detectable at regex compile time rather than stabbing you in the face at runtime without warning. Much better.)

Money laundering and crypto-coin legislation could hurt open-source ecosystem – activists

NullNix

So... it appears that the authors of this document either didn't grasp that open source software is not a purely cryptocurrency thing, or expected it to be obvious that this stuff only relates to implementations of cryptocurrency software. In which case... it's still broken, since essentially all such software depends on generic layers: are the glibc maintainers going to be bound by this stuff? What about LLVM and GCC? What about the Linux kernel? Compromise that, you've compromised the cryptocurrency wallet stuff...

(Never mind the obvious stupidity of trying to apply 'know your customer' regulations to something where the software is given away to anyone, so of necessity it would require both a time machine and telepathy to know even the simplest details about all future customers, let alone anything more -- not that open source developers can prevent some "customer" deemed unsuitable under the regulations from using the software anyway, since copyright licenses cover only distribution, not use, and if something is employed which does restrict use the software isn't open source any more.)

What on earth were they thinking?!

RIP Hyper-Threading? ChromeOS axes key Intel CPU feature over data-leak flaws – Microsoft, Apple suggest snub

NullNix

Quite. In particular, the RIDL paper can exfiltrate data you shouldn't have access to even in the absence of hyperthreading. There's a little more noise, but if you have TSX even that is driven down to irrelevantly low levels. (TSX: not so useful for real work, but oh so useful for attackers!)

Begone, Demon Internet: Vodafone to shutter old-school pioneer ISP

NullNix

Re: And another old name is discarded...

Ah yes, Spuddy. Stephen is still around, btw, even if long moved to the US and not running Spuddy as a service for many years :) (the domain is still around, and he still uses it for his email, and there are still some users AIUI, of the personal-friend variety :) ).

(Another ex-Demonite here, esperi.demon.co.uk as was, joined in 1996 I think, via KA9Q at first. Transitioned to Linux after a few years, then migrated to Zetnet in 2003 because Demon was clearly not the wonderful thing it used to be; migrated in fury to AAISP in 2008 after Breathe bought Zetnet and screwed it up so catastrophically that even if you were running your own mailserver and your own MX records they still managed to lose all your mail with no recourse because you couldn't even get back control of your domain: they took an entire month just to let me get out: about what you'd expect of an ISP that bizarrely boasted on its own corporate homepage of how many times they'd gone bankrupt. AAISP at least have proved wonderful for a decade and counting now.)

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021