that one in the corner • User • The Register Forums

Wednesday 24th July 2024 15:40 GMT that one in the corner

> So I would have expected that some developer set up some malware, checked that it successfully used these named pipes, implemented the change, and verified that the malware now failed to use these named pipes named pipe. And while testing this they would have noticed a crash during boot.

Go back over your scenario and compare it to Joe Bloggs's PC on Friday morning, as it BSOD.

What is different?

Joe:s machine does *not* have any pipe-using malware.

So, how about the dev "didn't* notice a crash during Boot, because it didn't crash, but spotted the malware and dealt with it. Maybe even called over the PHB to demonstrate the positive case. Job done, sign off, release update.

Whoops, tested the true positive, demonstrated the clever stuff worked. But forgot to test the negative condition. The one that most Users actually have.

If that happened, it would still be a QA failure, of course, but, be honest, who hasn't forgotten to test the negative condition, at least once.

And "once" is the number of times that poor sod of a (hypothetical) Dev would forget.

1 0

Wednesday 24th July 2024 13:12 GMT that one in the corner

Re: Parse, don't validate

> Parse, don't validate

No.

Parse *then* validate.

> After (proper) parsing you know that the data is valid!

Successful parsing says the data is grammatically well-formed, *not* that it is valid.

my_age = 264

may well parse, but it ain't valid. Heck, depending upon the grammar,

my_age = purple

may parse quite happily (I am, of course, a super-intelligent shade of the colour blue, not purple in the least).

You can add semantic checks into the erstwhile "parser" code, but unless you have put those into the grammar (e.g. there is only a fixed set of colours my age could be) then you are just mashing up the terms used to describe what your code is doing.

In particular, validation of data can (often does) involve cross-checking with other data, which need not have gone anywhere near your parser.

14 0

Wednesday 24th July 2024 13:01 GMT that one in the corner

Re: my surprise...

> I suppose the wrong hundred thousand machines could wreak havoc while ten million personal devices could be an inconvenience.

A key point here is that CrowdStrike is only installed (barring a few home users with more money than sense - or a "borrowed" work key) by companies, and generally larger ones at that.

So personal devices (barring ...) were never at risk from this cockup - instead it was going to be machines that stopped one part of a (big) company doing something, which stopped their colleagues doing something else which...

0 0

Wednesday 24th July 2024 09:22 GMT that one in the corner

Where can I get more of that scam?

> The scam is that they are actually doing the work, getting paid well

If the "scammer" is actually doing the work, can we get some more of, please?

Maybe in one or two companies whose QA tes we have recently suspected are understaffed (and/or the staff are underperforming).

Ok, not this particular guy, with his penchant for malware.

Just a strange use of the word "scam". Fraudulent ID, yes.[1]

[1] Which raises another question: if they were going to have a video call, why use (pseudo)AI to modify a stock photo? Couldn't find a camera and a blank wall to stand against? Or some people have just fallen for the "AI" hype, even in. N. Korea.

2 2

Wednesday 24th July 2024 07:41 GMT that one in the corner

Re: Fifty years?

Much as I wish for a Rust that is less of a moving target, your point is misaimed.

The specific case you cite is absolutely normal when bootstrapping any language's compiler.

> Rust from two years ago can't compile rust (the toolchain itself) now.

For Language X, Compiler V1 is coded in - anything you like, even BASIC. V2 is coded in V1 and adds features F2. V3 is coded in V2, using features F2, adding F3. V4, coded in V3 using F3, adding F5. And so on and so forth.

Trivial observation: compiler V1 can not build compiler V3; V2 can not build V4; and so on and so forth.

> rust code written now will still be compilable 50 years from now?

BUT, unlike bootstrapping, where you are asking if older compiler can manage newer code, NOW you are asking if newer compiler can build older code.

To which the answer, as you already know from existing examples, is: YES!

In the Good Case, it is really easy, because the compiler, over the next 50 years, added backwards compatibility flags: take a look at GCC. Nice and easy.

In the Bad Case, you have to dig up an older copy of the compiler. Drat, all the hardship of getting the release from GitHub (or wherever) and looking up articles in the Way Back Machine.

6 1

Tuesday 23rd July 2024 09:57 GMT that one in the corner

but no FOSS package ever dies

Oh yes they do - and have.

Nowadays, the bulk of FOSS is shoved into GitHub and will be available - for as long as GirHub bothers to run its servers[1].

Back in the day, Tarballs and Arc files were downloaded direct from the author's site and then you were expected to mirror it if it was important to you.

Then the Web was "discovered" by more and more people and for some reason the mirroring stopped and changed to just dropping in a link to "the" download location - and of course, we then learnt that URLs have a half-life.

As public version control servers came online - and people started to trust them - we saw materials on something safer than a personal site, or the pages of a company that vanished overnight (sometimes the entire company vanished, sometimes just the project)[2].

If you are lucky, the Internet Archive grabbed a copy and you can try one of the dead URLs there; patience can be required[4].

If you are really lucky, somebody has put a copy into GitHub[5] - although you can open yourself up to flames because your copy "doesn't compile for me"[6]

And what about the FOSS that is practically single-sourced by being published in that JavaScript compost heap? Was LeftPad() also available from GitLab? Some of it is handled properly (p5.js oooh, squiggly and probably safe from vanishing).

Of course, any FOSS that does fall through the cracks "is not important" - after all, all the Linux distros keep their own copies of source packages, "so we are not actually reliant on GitHub at all, Corner you fool."

Not important. Well, you never know. Literally, you never know, it has gone now.[7]

[1] Then we'll have to go back and pull the older version from SourceForge.

[2] As a few others did I like the old "Elegant" library & util from Philips Labs - good luck finding that, on the Philips site - or doing a web search for it available elsewhere[3]

[3] stop giving your projects names that are normal words!

[4] not being able to find something is, in all practical terms, the same as the thing no longer existing at all. Take note when organising your backup copies...

[5] really must put my compiling copy of Elegant up on GitHub

[6] so maybe I won't put Elegant up, as I only have Makefiles for My Own Build System and am fed up telling people how to write build scripts for their favoured build tools. Seriously.

[7] "Important" is a relative term[8]. Maybe it is really important to *you* to generate an awful lot of Elegantly laid out syntax diagrams in the next day or you can't pay for Tiny Tim's new clutches, he is growing so fast nowadays, at least the one leg is.

[8] see so very many commentards "well, my PC is ok so this is a non-issue" and the response to same

[9] Footnotes FTW. Be more Pterry!

21 2

Wednesday 24th July 2024 01:30 GMT that one in the corner

Gizza job

This whole thing is just Kurtz's SOP for getting his name into the press before leaving for a new job, just like when he left McAfee.

We all curse the very soil he walks upon, but for the money men in smoke-filled rooms: "Kurtz? Kurtz? I've heard that name somewhere, haven't I? Well, guess that means he's famous. Go ahead, lob some money at him, let's see what he can do. Got any more brandy?"

13 2

Wednesday 24th July 2024 01:15 GMT that one in the corner

Re: Canary releases?

> I just used to call them phased releases, back in the day.

But were you dealing with code that could totally knacker the machine?

The canary falling of its perch is a good analogy for a BSOD (shortly followed by an explosion - of expletives heard all around the open plan office).

But if your app failing just meant it had to be restarted whilst the rest of the User's tasks progressed as normal - well, "signal the alarm, the canary has a bit of an itchy wing" doesn't have quite the same ring to it.

5 0

Tuesday 23rd July 2024 18:35 GMT that one in the corner

Considering the root cause was a total lack of file content validation (or a staggeringly shitty one if a file of all nulls is "valid"!), not even one of the "genuine antimalware boo-boos" (like the classic "false positive quarantining a key system exe") perhaps this case should prompt the Sys Admins to ask - demand - for the right to test the system for themselves.

I.e. to know precisely what files are capable of being updated, their update method (humans running installers, auto-installers that still show up in "Programs and Features" or "just data we silently grab from our servers". Which then allows them to run a test system and actually, um, test the software before they install it. By feeding it gibberish files.

Yes, you *ought* to be able to trust your vendor has run fuzzing tests, zero byte files etc, but if you are knowingly going to install software - well, really any software you install fleet-wide, but especially stuff you *know* can fiddle at a low level - and you are prevented from doing your own (double) checks that at least the most basic, trivial, well known and bleeding obvious protections are present then perhaps you should be raising alarm bells.

20 0

Tuesday 23rd July 2024 17:31 GMT that one in the corner

That isn't Classic Space

It doesn't have the LEGO swoosh on it.

It arrived in June? So LEGO knew it was coming and they haven't included a model of it in their current Collectable Minifig range (which is all about space, from Classic Space to UFOs). What a missed opportunity.

1 0

Tuesday 23rd July 2024 08:41 GMT that one in the corner

Re: Too much complexity

> The problem is that some things just don't scale well in parallel.

As we have seen machines moving to more and more cores in the CPU (with or without hyperthreading), it is only too obvious how few programs can even take advantage of using "more of what we are used to", let alone reworking to take advantage of GPUs. Bring up Task Manager - and fire up lots of separate apps just to make it look as though that CPU was a sensible buy.

(Then again, given what I've seen coders do with mutexes it is probably a good thing that we don't have everybody trying to parallelize...)

8 0

Tuesday 23rd July 2024 00:47 GMT that one in the corner

Re: Back in the early naughties...

> . It was an absolute godsend for creating software to match native microsoft applications.

Only if it came a good while after the book Undocumented Windows (or you had a copy of that as well) or you would not have known how to write text out and get the TABs interpreted correctly.

And good luck matching Microsoft Office's use of MDI if you decide to use the *documented* MDI WndProc...

0 0

Tuesday 23rd July 2024 00:19 GMT that one in the corner

Re: Wrong question

> I wonder if the Windows T&Cs don't have the same language. If they don't, they should.

What, you didn't read it? :-)

These days, MS just go with the standard "it isn't fit for any purpose" wording:

>> Microsoft and the device manufacturer and installer exclude all implied warranties and conditions, including those of merchantability, fitness for a particular purpose

In days gone by, just about every bit of COTS software made you explicitly agree to such things as not running nuclear power plants or even using it to control an aircraft, heavy machinery or medical equipment[1].

Nowadays, those explicit warnings seem to have gone Tubby bye-byes.

However, the "we never promised it could anything at all" language has the same effect, it is just trying harder to hide in the safety of apparently innocuous words.

[1] wish I could give URLs for this as well, but searching for the no nukes policy took digging through so, so many irrelevant hits. Was trying to get, e.g. the T&C's for Windows 2.0, they may be old enough to have the more explicit language, but so far, no dice.

4 0

Monday 22nd July 2024 23:36 GMT that one in the corner

> you MUST have data fuzzing and mutation testing going. From everything I can see this far, it's totally clear that CrowdStrike has neither!

Good grief, CrowdStrike clearly didn't even have basic, trivial, content validation on their files, like magic numbers and a checksum.

Yes, they should fuzz etc, but for pity's sake, call them out on missing the truly basic stuff first!

11 0

Monday 22nd July 2024 23:03 GMT that one in the corner

Re: WHQL

> You should not be able to feed new code to something running in the kernel space from the user space and certainly not without huge amounts of checking.

Sod running in kernel space.

How about just sanity checking the contents of a file, any file in any process at any priority level, before blindly interpreting its content.

Like, in a binary (data) file, checking for magic bytes, the checksum at the end... And just refusing to touch it when it is clearly insane.

That is basic stuff for any program, surely?

If a file with a duff photo can be calmly rejected because it doesn't have the JFIF magic numbers, but ...

7 0

Monday 22nd July 2024 22:52 GMT that one in the corner

Re: Dave Plummer has a different take on this

> back in 1963

> 62 years later...

We find out why I've been getting complaints about post-dating cheques by a year.

6 0

Monday 22nd July 2024 22:39 GMT that one in the corner

Re: Dave Plummer has a different take on this

> downloaded as a Cy file, which contained only zeros instead of pcode or malware definitions

So, we learn that zero is not NOP in their pcode?

Then again, NOP is hardly ever opcode zero, which can be considered unfortunate, as getting a file full of zeroes is one of THE classic blunders[1] (just ahead of a file full of all ones or a serial connection full of curly braces).

And if they'd just read it as good old fashioned ASCII, a sequence of NULs would just get ignored; almost as if they knew what they were doing back in 1963.

62 years later...

[1] The most famous of which is, ‘never get involved in a land war in Asia'

6 0

Monday 22nd July 2024 12:12 GMT that one in the corner

The occurrence of kernel panics mere weeks

> before CrowdStrike broke many Windows implementations therefore hints at wider issues at the security vendor.

That they accidentally released the Linux borkage weeks ahead of schedule, before it was ready to really screw things up. After that, they continued as planned to really knacker a load of Windows boxes, but had to hold back the completed Linux version "because the sysops were already on their toes and wouldn't be so easily caught out".

The CrowdStrike C-suite were annoyed at the resulting partial success, but the CFO pointed out it gave them a bit more time to practice holding pinkies to mouths and getting the correct "eee" in "beeelions".

3 1

Saturday 20th July 2024 10:04 GMT that one in the corner

Re: I still use them - bit.ly

Perhaps it is time to research how to run a little web redirector next to your forum server and slowly wean yourself off Bitly: get yourself free before they have the chance to Boojum your members.

5 0

Saturday 20th July 2024 10:00 GMT that one in the corner

Re: Link Rot

It is a cunning ploy on their part. I used to copy MS URLs into my notes and docs, expecting to find them again in a week's time. But they have now hidden Product 2009 and any attempt to search for it on their site only returns Product 2023 (or Product 365). Eventually, you give up as it is cheaper to just buy the new damn Product.

I am less gullible now, and make heavy use of the Print Edit WE add-on, or similar, to store a local copy and put a link to *that* in my docs.

4 0

Saturday 20th July 2024 09:53 GMT that one in the corner

Re: Decisions such as Google's

First problem is trusting yourself to a service without a contract and being surprised when it no longer works for free (or at all).

Pay for your basket, and get an SLA, if you actually give a damn about your eggs.

7 0

Saturday 20th July 2024 09:48 GMT that one in the corner

As you illustrate, anyone using a Google product does so voluntarily (or they are volunteered by PHB).

It is just that they offered things that many people decided to use - and nobody had paid for an SLA. Which means Google can do whatever it wants with all its kit, just like you do whatever you want with yours.

The meat of TFA is really that people are now going to reap the rewards of not bothering to buy a product: maybe target your anger towards all those people who let the situation come into being and who are the ones that will suffer (and their clients/customers as well, of course).

Then you can use your words productively and point out when those people just go and make the same mistake with another "free" service.

0 0

Saturday 20th July 2024 09:31 GMT that one in the corner

Re: Good riddance

> There are times when a shortened link is either necessary ... the link has to be read out and typed in manually because someone's going to mention it in a speech, video, or advertisement ... build my own link shortener.

99% agree.

The other 1% is because I'd try not to even think of it as a link shortener, but a link sensible namer. Shortening can lead to systems like - well, all of them I've seen used - where you end up giving out 9 chars max of gibberish, whilst a namer tells you to use a sensible name and have, ooh, two dozen chars if it is warranted. E.g. blogs.com/ads/fake-james-bond

3 0

Saturday 20th July 2024 02:28 GMT that one in the corner

Re: I don't mind people blaming Windows..

> Bound to be a bad character in a file

We have been told what the dangerous file is called and what timestamps to look for.

Has anyone thought to keep a copy, rather than just deleting it as they were instructed?

Does it by any chance read "Step 7 - this file to be overwritten with the output from Step 6"?

2 0

Saturday 20th July 2024 01:22 GMT that one in the corner

Re: There's something familiar about all of this...

> I want something with a Schwartzchild Radius to make sure there's no chance of information escape.

Sorry to be the bearer of bad news, but according to The Holographic Principle

>> the information content of all the objects that have fallen into the hole might be entirely contained in surface fluctuations of the event horizon.

One day, those fluctuations will be readable, imprinted on the Gravity Waves and propagated across the Universe.

Better to chuck it into the Sun and have it all drowned out by the thermal noise.

5 0

Saturday 20th July 2024 00:49 GMT that one in the corner

> All the Cavendish bananas... It means they're all susceptible to a disease, if one were to appear.

Or any other pest[1], like happened to the Gros Michel (why is why banana flavour sweets no longer taste like bananas).

> If, or when, Nature invents a British Japanese Knotweed disease that kills one, it could kill them all.

That would be the silver-lining to the banana menacing cloud, eh.

[1] what, you don't count humans and their plantation-stripping habits as a pest?

1 0

Friday 19th July 2024 09:28 GMT that one in the corner

>> In a fair world, this would be the end of crowdstrike.

> and yet they're after Kaspersky

Incoming claim this was a Soviet[1] attack in retaliation in 5 4 ...

On TV news this morning you could almost see the sofa dollies salivating at the idea, as they pushed their various experts to say all the troubles today are down to some "hack".

[1] I know, *I* know.

5 2

Friday 19th July 2024 08:00 GMT that one in the corner

Re: "Passivated" I understand, but "fully demised"?

> These are both Government Regulatory Body terms.

Ta for that.

> not in big enough pieces for government to care about.

So not only

>> not our problem any more

but even the government agrees about that![1]

[1] although hopefully that means it is now only "problematic" in that it is now merely unexpected brief lights in the sky and not "you can't prove those holes are anything to do with us" -:)

0 0

Thursday 18th July 2024 08:12 GMT that one in the corner

"Passivated" I understand, but "fully demised"?

As per discussion above, and your old chemistry texts, "passivated" has well(!) known techie usage.

But "demised"? "His demise" for the death of a person (the end of his hold on life), certainly common usage. But with the extra 'd' on the end - have only seen that referring to the transfer of a leasehold (the end of holding by one person).

So, "fully demised" = "passed it on to somebody else, not our problem any more".

3 1

Friday 12th July 2024 22:33 GMT that one in the corner

Broadsword to Danny Boy

> build-up of what appeared to be ice around the Merlin engine

Sorry, when I hear "Merlin engine" there is still only one that I think of, and that thankfully didn't ice up when it went into space: gave the Daleks a taste of their own medicine, what what.

NEEEEooooow.

10 0

Wednesday 10th July 2024 16:59 GMT that one in the corner

Re: Magically tuned

> One doesnt even need to parse into an AST. What about replacing NL with CRs?

>> have just re-invented the pretty-printer[1]. Ok, not even the most out of touch judge is going to let that one pass.

Swapping line endings won't make the code even slightly look different to the judge (anyone showing him the two files could just use the most basic of programmer's editors which cope with all three line endings forms as a matter of course).

Pretty-printing will do more, adding/removing whitespace all over the place, changing line count (select K&R or 1TB or whichever other alignment the original author did not prefer). And if that isn't (IMO) going to convince any judge, a totally invisible (to him) line ending change is even less likely to.

1 0

Wednesday 10th July 2024 00:56 GMT that one in the corner

Magically tuned

> tuned its programming assistant to generate slight variations of ingested training code to prevent its output from being accused of being an exact copy of licensed software.

If I have a piece of software that can generate slight variations on a piece of code then I can claim its output as my own without any risk of being done for breaking a licence?

Cool. How many slight variations do I have to perform?

If I take a compiler front-end, use it to generate an AST then print that out again, I have just re-invented the pretty-printer[1]. Ok, not even the most out of touch judge is going to let that one pass.

But what if I run optimiser passes over the AST and then print the result? Can't be the same code, Your Honour, it doesn't have a loop here[2], none of these long lines of calculations are present[3], these lines are all in a different order and those extra bits added[4].

Oh, but we all agreed a while back[5] that the changes made by the optimiser didn't mean the "modified" code is no longer your licenced code.

But a "tuned" LLM does make changes that remove the licence.

Ok, why is the optimiser treated differently to the LLM? Because you can document what the changes are going to be? Because they are predictable[6]? Because the optimiser's verbose mode can explain why each change was made, the effect it has on the output?

In other words, because the LLM is a magic black box whose inner workings nobody can (or has put the effort into trying to) understand?

[1] or the ugly-printer, depending upon how much effort is put into the layout heuristics, but that is by the by.

[2] it got unrolled

[3] it all got precomputed; turns out to be a constant, if the input values got past those conditionals; but the coder was correct to spell it out in full and not just give a magic number.

[4] increase hardware utilisation by reordering functionally independent chunks - after introducing a few temporaries to break apparent dependencies, then recombing those into the final result.

[5] to the annoyance of some, who used to charge a fee before you distribute a copy of your own code in its compiled form.

[6] even though coders who just use the compilers can't always predict them (ah, the joy of heuristics) and have wasted hours trying to figure out what change to their source code caused the compiler to suddenly decide to stop optimising this inner loop, making the program go much slower now.

2 0

Wednesday 10th July 2024 12:48 GMT that one in the corner

At least you are willing to change; some people seem to be waiting for Cold Fusion.

8 0

Wednesday 10th July 2024 01:22 GMT that one in the corner

Automatics can ease a lot of driving - except that when we had two cars, the automatic was the one that always got stuck in the lightly snowy carpark: it just couldn't manage the trick and kept spinning it's wheels, spraying everyone trying to push it.

Ok, I didn't always get the manual out - but of course that just meant the snow was clearly too much, we shouldn't attempt it, not that I'd just made a mess of the clutch control; no, that never happened. Ahem.

2 0

Tuesday 9th July 2024 13:58 GMT that one in the corner

Re: The electric vehicle marque

Hmm, wouldn't you rather have a vehicle with a decent Hallmark or Maker's Mark, rather than treating it like cattle on an American ranch?

(Even I'm not going to suggest going straight for the British equivalent of cattle branding, recognising the manufacturer by the colour of sheep dip they used).

1 0

Tuesday 9th July 2024 13:41 GMT that one in the corner

> little no-licence car (limited to 45kph/29mph) so I have already come to grips with ... overtaking tractors

Clearly not the supercharged tractors we get whipping around the place, opening up the throttle as soon as the B roads are wide enough for a dotted line down the middle!

1 0

Tuesday 9th July 2024 13:37 GMT that one in the corner

Manual transmission - the future of electric vehicles

At least, according to Toyota, whilst with Dodge you can even get an exhaust!

Hmm, one day knowing how to drive manual will become the preserve of the rich and stoopid who want to drive "special" cars, like a faked-out Charger, and of the scrotes who steal them.

True rednecks might want to keep manual, or manly-ual, but will give it up when they realise they can futz the batteries to run hot and do the "rolling coal" with added smokey flavor.

1 5

Tuesday 9th July 2024 16:46 GMT that one in the corner

> in fairly short order I'd be cooked

At 110 you'd just be poached, which would be a shame. You really need to get the temp up a bit more to be properly cooked, with a nice crispy skin.

4 0

Tuesday 9th July 2024 09:08 GMT that one in the corner

Re: "golden cryptographic key"

But, but - according to the 2023 article, "Redmond assures us it has made changes to prevent them from happening again".

So don't worry, our UK/EU Golden Keys[1] are totally safe and secure, we can trust anyone in Redmond to have our backs.

[1] note: for the sake of security, end-use governments are given one cooy the Golden Key. In case you forget where you put it, Redmond can help you recover it using their Platinum Key.

7 0

Tuesday 9th July 2024 08:58 GMT that one in the corner

Re: "encrypts files on both Linux and Windows machines"

> This would point to a default setup problem. Like RPi OS maybe? (sad but true)

Really, really hoping anyone who is exposing a R'Pi has at least changed the default login setup.

Otherwise - is this this the sort of thing they call "a teachable moment" at BOFH school?

5 0

Monday 8th July 2024 18:58 GMT that one in the corner

> WHy would anyone spend soo much effort and money to find something worth basically nothing. Who pays for all the other experts who find nothing ?

Q: Why do road car manufacturers build Formula race cars? They are worth basically nothing (they used to feed some tech back into road cars, but who needs a massive regen storage flywheel weighing down a road cat?).

A: because it is good advertising and pulls in the punters

Plus, companies who are worried about the costs that vulns may cause them are quite happy to pay a (to them) small amount of money to keep vuln hunters in coffee and pizza: any vuln found can (probably) save them far more.

Look at it this way: why pay for something like data backup, it does not add s single penny to the bottom line. Even when you need to act on your DR plan, it is all cost and no gain to the bottom line. But it is a *SMALLER* cost than not doing DR.

Isn't all this pretty basic stuff?

1 0

Monday 8th July 2024 18:50 GMT that one in the corner

> cow: thanks, so they used up all their $1M to maybe find a vuln ?

No. They used that money to set up their company and get their product into a state ready for sale. Just as you expect a startup to do.

Go and *read* the links - they provide services to help with security, and one thing they do is look for vulns.

0 0

Saturday 6th July 2024 12:16 GMT that one in the corner

Clearly PostScript qua PostScript is just old NeWS now; maybe move on from GhostScript[3]

From the blog linked to by the article:

> It is good to remember that Postscript is a well-featured Turing-complete programming language ... All of this puts Ghostscript in an odd place where it wants to allow all these legacy use-cases, but it is also commonly being used as a conversion tool on untrusted files, which are often treated more as static graphic descriptions rather than as programs.

"legacy use-cases"?

So PostScript is just some nasty old "legacy" language (with the usual implication of "legacy" that it should be buried and forgotten)? Leave it as some oddball implemenation detail of our gorgeous laser printers but otherwise brush it under the carpet?

Look, except for having a bit of fun, *I* don't make use of PsTricks in my TeX/LaTeX documents[1]. But I also don't make use of a scanning electron microscope, a laser cooling rig or even a visual interferometry alignment device[2]. But those who do need that sort of power and complexity can produce some damn impressive and useful results.

GhostScript *is* a PostScript interpreter, first and foremost. And jolly good it is too.

If GhostScript is "in an odd place" (and one that risks opening unexpected vulnerabilities) then is it not down to any "legacy" PostScript usage but to the fact that it is being used to *also* run the lesser variant of PostScript implemented within PDF (is it still referred to as "Interchange PostScript" aka "IPS"? Or just referred to as "whatever is inside PDF"?). It is obvious why and how a full interpreter came to be running PDFs as well, it was almost inevitable (and the way that this then became, and remains, so widely used, when there are competing bits of software that only the PDF subset, speaks well for the results).

HOWEVER, perhaps a lot of the people who put Ghostscript into their pipeline purely for handling PDF ought to be lightly castigated for not promoting the use of GhostPDF, which is just a PDF interpreter, separated from the PostScript interpreter, and can perhaps be gently guided away from some of the complexities discussed in the Codean blog (and the concerns that the Ghostscript authors talk about in their blog post) and vulnerabilities that arise from those.

[1] And I'm well aware that using TeX/LaTeX is a minority sport, even around El Reg readers (although, I argue that if you are ever going to programmatically generate PDFs you can do a lot worse than starting with LaTeX, especially if you like to include your inputs in your choice of plain-text version control system), PsTricks more so.

[2] actually, only because my telescopes are refractors, so I leave the alignment of compound reflectors to the other members of the local amateur astronomy club.

[3] if all you need is PDF, consider GhostPDF

6 0

Saturday 6th July 2024 11:18 GMT that one in the corner

To start with, they raised €1M from TIIN Capital’s Dutch Security TechFund and five experienced angel investors in 2022.

At this point, they are selling, for much moola per seat software for code reviews, aimed at "security experts".

As to who actually *buys* any of this (especially given the inevitable comments here that "the people I work for don't care about security" the answer appears to be - the people who actually run all of the crap that we (El Reg commentards) are generally more involved in creating in the first place. Names that appear[1] are people like KPMG, banks, NATO, national governments' departments of cybersecurity.

You know, all of our (shudder) Users.

[1] as I continued to spend the full 10 minutes on the web search around this question

2 0

Saturday 6th July 2024 10:38 GMT that one in the corner

> Debian ghostscript is now up to 10.0.0 so unless there's been a regression this is well behind us

The vulnerability is in versions up to and including 10.03.0, according to the linked blog post.

You need to use Trixie (testing) or Sid (unstable) to get the fixed 10.03.1

Although there are patched copies of older versions to be had in the interim.

2 1

Sunday 7th July 2024 09:29 GMT that one in the corner

Re: Chinese pushes Drone subversion button

Ah, CowHorseFrog, as charming and delightful a raconteur as ever.

BTW: Whooooosh

(You missed complaining that radio can't penetrate musty teenage clothing)

1 0

Friday 5th July 2024 08:52 GMT that one in the corner

Chinese pushes Drone subversion button

and across the US all the drones power up and take flight, providing total surveillance coverage.

Forty minutes later, their batteries drained, the drones have dropped to the ground.

Chinese intelligence scour the data returned and the GPS positions of all the dark cupboards, grubby backpacks, bottom of car trunks, dust bunnies under the bed and piles of unwashed teenage clothes beneath which the vast majority of drones spend their lives.

7 1

Friday 5th July 2024 08:27 GMT that one in the corner

Re: "its fleet of DJI drones"

> And what exactly are the government using a fleet of drones for ?

One example: Forest Rangers use drones[1] for both setting and watching deliberate fires, as well as watching for unwanted fires. Also to carry IR cameras for search & rescue or animal tracking.

[1] although this article refers to them as "modern technology, Unarmed Aerial Systems (UAS)" which is a telling comment on their expectations

11 0

Friday 5th July 2024 09:12 GMT that one in the corner

I call BS; could never happen in UK (or ...)

Caring plod gives overworked techie good excuse for some downtime.

Techie embellishes "into this cell you go" ("and would you like a cuppa?" left out)

El Reg embellishes: "jailed"[1] (and still not to the point of being charged)

Commentards strongly declare[2] that whole story is a pack of lies.

'Twas ever thus.

[1] ahem, "gaoled" if you would be so kind.

[2] rant

22 0

Thursday 4th July 2024 13:18 GMT that one in the corner

We will make your days^^^^nights brighter

> AST's satellites are designed to have a huge antenna, which makes it capable of putting down a small spot beam

Well, that is nice for all their customers, but considering the joy (/s) expressed in the coverage for AST's BlueWalker 3 satellite[1] not sure that everyone is going to be impressed. Especially as this system requires collaboration with terrestrial partners just to free up the radio band, so all well and good for

> 100 percent geographical coverage throughout the continental US

but a long middle finger for anyone else in the World[2] who might look skywards.

[1] Giant satellite outshines stars, sparking fresh concerns for astronomers; at least SpaceX have talked about reducing glare from their birds.

[2] "the World" - don't be daft, if you go West from California or East from New York you fall straight off the edge!

8 2

Posts by that one in the corner

Page:

Re: Parse, don't validate

Re: my surprise...

Where can I get more of that scam?

Re: Fifty years?

but no FOSS package ever dies

Gizza job

Re: Canary releases?

That isn't Classic Space

Re: Too much complexity

Re: Back in the early naughties...

Re: Wrong question

Re: WHQL

Re: Dave Plummer has a different take on this

Re: Dave Plummer has a different take on this

The occurrence of kernel panics mere weeks

Re: I still use them - bit.ly

Re: Link Rot

Re: Decisions such as Google's

Re: Good riddance

Re: I don't mind people blaming Windows..

Re: There's something familiar about all of this...

Re: "Passivated" I understand, but "fully demised"?

"Passivated" I understand, but "fully demised"?

Broadsword to Danny Boy

Re: Magically tuned

Magically tuned

Re: The electric vehicle marque

Manual transmission - the future of electric vehicles

Re: "golden cryptographic key"

Re: "encrypts files on both Linux and Windows machines"

Clearly PostScript qua PostScript is just old NeWS now; maybe move on from GhostScript[3]

Re: Chinese pushes Drone subversion button

Chinese pushes Drone subversion button

Re: "its fleet of DJI drones"

I call BS; could never happen in UK (or ...)

We will make your days^^^^nights brighter

Page: