Posts by Paul Crawford 5665 publicly visible posts • joined 15 Mar 2007
Maybe the BOFH sees the auditors as "useful idiots"?
You know when they find irregularities with some boss' expenses, but strangely enough their own have just been accidentally shredded due to some unfortunate mistake when old documents due for secure disposal were piled on top of the original copies requested for audit...
"I'd have to upvote Microsoft at this point for maintaining 32-bit compatibility with their 64-bit operating system"
Have you actually used the 64-bit version of MS Windows C/C++ compiler?
If so you will discover that part of the 32-bit compatibility is the fact that most normal types like 'long' are still 32-bit! Yes, you have to explicitly ask for 64-bit variables so porting a program and expecting 32-bit memory limits, etc, vanishing magically is going to be a surprise unless you have been very pedantic to always index using size_t or similar. This level of incompetence (or "easy of backwards compatibility" depending on your viewpoint) extends to some OS API where they still use 32-bit "time_t" even though that is one type that is now 64-bit in both 32 and 64 builds. See more here (also not this reported bug is over 10 years old now):
https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/674d34c9-b6f6-4380-bc7b-181eae99847a/timeval-struct-incorrect?forum=windowssdk
"The problem with that is that a block of encrypted information does not look the same as a block of random data"
Only if the encryption is utterly incompetent.
Sure there might be systems where the encrypted file/partition has the odd header / magic number for file type identification, but those are not really a good idea and it does not change the statistics of encrypted block(s).
"So using a VPN does not prevent the few competent flatfeet from connecting the dots, only slows them down."
Using a VPN prevents mass surveillance as it then takes some degree of effort to follow an individual but, as seen here, it is not some magic tool that makes you invisible in perpetuity. Same issue with logging: many VPN say they don't keep routine logs and that may well be true, but if they receive a court order in their jurisdiction (and more probably if it is in connection with a genuinely serious case) they will probably find some bits of information have mysteriously been left on their systems that might be of some assistance...
"And neither Europe nor anybody else can do anything about it."
Don't know about that, only takes a couple of cases that show its illegal in the EU and a swarm of no-win no-fee lawyers to start suing USA corps in Europe and things might start moving.
And before anyone says "you don't need to use Facebook" you might want to look at how so many companies are using it as their main portal / contact method to put it in to the 'effective monopoly' position that MS and Google have/are finding themselves being bothered with fines for abusing. Sure, if they have no business interest in the EU there is not much to do, but most of the big players are making money over here.
"Not that that would help them at all, since they can't be sure that the source code they check is the same as the source code that's used to create the binaries. Or the tools to create them."
Actually you can in any sane build system - if the binary matches your own build, its the same code UNLESS the compilers or libraries have a hidden trust issue (a la Ken Thompson).
And for the second point you can build open-source compiler tools independently using differing compilation tools, so unless someone managed to infect every available compiler in such a subtle manner, you can verify that side as well.
Sorry, that simply won't work. The only thing that will make suppliers & importers take notice is liability for unpatched flaws after a certain time. You know the sort of thing that would happen in the traditional hardware world of cars, etc, when some safety factor comes to light.
Much as I distrust government meddling in technology, having some legal standards for, say, 5 years after the sale of any "connected device" would be a more workable answer. Sure those companies will bitch about profitability, etc, but the reality is they are currently shitting on the consumers by not doing it right in the first place (and by "right" I mean having a proper system for support and patching planned for and used, as some bugs are inevitably going to happen).
There is a simple fix for that, as its a corporate device you practice a monthly test of wipe-reinstall so only corporate synced data remains long-term. And you TELL the users this will happen and send a reminder a day or so before the appointed test cycle.
As a useful side-effect, you know the remote wipe works, and the phone is unlikely to fall over due to it being stuffed with cat videos (insert your own entendre about "pussy or cougar?").
"As our entire platform is Android (as most of the world is Android), we don't have any app compatibility headaches, and we can lock out really old Android devices that aren't patched to at least a reasonable level"
So its your kit then? Employees are free to buy whatever they want for themselves to use and keep it as long as they feel its worth using, and if its not compatible then you provide an alternative?
So how is this BYOD?
It has nothing to do with the bus-width, but related to features that newer CPUs have and often only work in the CPU's 64-bit mode, or were only added to the 64-bit version of the OS. As others have pointed out, some techniques such as ASLR are more effective the greater the possible virtual address space that is available (irrespective of actual usable RAM).
But even beside that, you usually get a modest speed advantage (I have seen ~30%) in 64-bit mode for numeric-heavy software just because you can do more in a single bus operation, and the 64-bit mode for the x86 series has more CPU registers that allows better code optimisation when built for it.
Well being charitable about the article: It does make a lot of sense to consider a major OS shift as part of a hardware refresh cycle, and that applies more or less to everything (Windows, Linux, Mac, etc).
Certainly for bigger organisations on the basis that you don't want the pain of a change in OS/application behaviour, testing, and fixing any more often than around 5 year intervals and by that point your hardware is due for a change anyway just to keep the failure rate down. Said new machines probably have SSD which is a genuinely useful speed-up (if you can tolerate the cost/storage ratio).
But personally I don't really want Win10 and its spying in all but the most expensive enterprise version...
Maybe if they had dropped the stupid built-in nature so you could get it for other Windows versions, and ideally along with other OS (Mac & Linux) they would have had a project many would be interested in trying.
Its a shame really, as Chrome's growing share and Google's dominance are not much better than MS abuse in the early years.
That proves the seL4 kernel is correct.
Not that the compiler(s) used are bug-free, or that the CPU/GPU/FPGA is bug-free in design. Also it does not cover things like the "rowhammer" attack on dynamic memory refresh/integrity.
Also in many cases (not sure about here) what you actually prove is the code matches the formal specifications given in some maths-like syntax. I'm not sure how you go about proving that specification did not overlook some use-case, but I imagine that is possible for a very limited set of permutations.
As well as something like uBlock origin as a generic ad-blocker, you really should use 'FB Purity' if you have to use Arsebook for any reason. On Chrome/Chromium you need to explicitly allow them for incognito mode if you usually use that to drop cookies, etc, on exit.
Last week I tried the Visual Studio 2017 suite to compile C/C++ for windows in place of my ancient Visual C++ 6.0 setup.
WTF have they done in the last 16 or so years?!
Default installation did not work - said I needed SDK 8.2 (in a bizarre XML style error) but found it has installed SDK 10.something. So go to the installer again and manually select the 8.2 component. Still wont build as the likes of stdio.h and math.h are missing in the 8.2 installation?!. Find in project setting the option to use SDK 10.xxx and that finally works. But that is not the fscking option it chooses on EVERY fsking project you create!!!
Also how do you create a new library project? If you create from existing source files its an option in the drop-down choice, but nowhere to be seen if creating a blank project. I could go on, but really it has tarnished by fond memories of how good the old Windows tool setup was and made me realise the Eclipse/Linux lack-of-ease-of use is in fact the new norm.
It is closer to a 2.5D Bob.
A problem with the current "3D" stuff like films is you cant focus near or far to select objects of interest. Basically the content creator set the focus position and depth-of-field and you get a stereo version where your eyes must be focused at the (virtual) distance of the screen for it to work.
Well the 'open' part of GCHQ provides guidance on most common OS that are a sensible starting point:
https://www.ncsc.gov.uk/guidance/end-user-device-security
Some might normally be laughable from a privacy point of view (Android, Chrome OS and consumer Windows 10) but I guess when configured their way (i.e. all using corporate VPN, Win10 enterprise options) they become acceptable for "official" work. Reading the Ubuntu 16.04 notes is interesting, they make a point of making user-writeable areas no-execute and enforcing apparmor restrictions on various process.
Reminds me of the saying "he who checks behind the door has once hidden there before".
"Hitting the phone and rostering systems sounds pretty esoteric"
Not really and most probably they both are managed by, or depend upon databases in, Windows machines.
Real question is what had (not) been done since WanaCry exposed unpatched machines and flat/open internal networks allowing havoc to ensue. I suspect that any Word macros uses that were not disabled by group policy are a symptom of the first ailment...
Thing is if you were to only have *one* computing device, you would get a smartphone. Basically it works as a phone, can be used on wifi (i.e. broadband) or without (using mobile data, probably at some cost), and does most of what folk want from a PC (messaging, web look-up, pointless social media, etc) as well mobile-specific stuff like satnav functionality. And it fits easily in your pocked/handbag/sporran/etc.
Sure other forms are better in many ways, such as screen size or easier typing, etc. But if you have limitations on your budget a phone seems the way to go.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
