* Posts by Michael Wojcik

12132 publicly visible posts • joined 21 Dec 2007

We're almost into the third decade of the 21st century and we're still grading security bugs out of 10 like kids. Why?

Michael Wojcik Silver badge

Re: A threat centric approach

That may be true, but it says nothing about whether their predictive model is a useful tool, much less whether the approach in general can be useful.

Michael Wojcik Silver badge

Re: The logical next step is the two-dimensional risk rating approach

CVSSv3 also incorporates a base, temporal, and environmental score. Most outlets don't do a good job of reporting or explaining those.

While publishing the vector isn't useful for human readers (that's not the intended audience), there's nothing to stop someone from providing a concise text explanation.

CVE-2019-xxxx has a CVSSv3 base score of 10 (over the network, easy to attack, no privilege required, no user interaction required; high risk to confidentiality, integrity, and availability).

Obviously there's still some jargon, or at least terms of art, in that, but you don't have to be an IT security expert to understand it.

You left off the temporal and environmental scores in your example vector, so explaining those in plain language is left as an exercise for the reader.

It's all very well for Rogers to say we need a different scoring system and representation, but CVSSv3 does incorporate a threat model, and considering combinations of vulnerabilities quickly falls foul of combinatorial explosion. While he raises some good points, and while theoretical speculation is useful, it won't get us very far until someone has a concrete proposal. I'd say that CVSSv3 does a good job at the function it's intended to perform; that function is valuable; and interpreting combinations of vulnerabilities under richer threat models is the job of human experts, not a mechanical scoring system.

Beardy biologist's withering takedown of creationism fetches $564,500 at auction

Michael Wojcik Silver badge

Re: Darwin is still a very naughty boy ...

Yes. Wallace developed a theory of evolution through competition and heritable characteristics very similar to Darwin's, more or less simultaneously, in his work in the Pacific islands. The "Wallace Line" was as good an example as the Galapagos finches.

Michael Wojcik Silver badge

Re: Darwin is still a very naughty boy ...

It seems to me that there has been a huge row-back on the ideas of the Age of Enlightenment in recent years

I believe more careful study of the history of ideas will show that's merely perception. Modern scientific epistemology has never been broadly popular, and actually is difficult even for its practitioners to sustain. Humans are not evolved to be consistently and thoroughly rational. It's not feasible given the resource constraints and speed of conscious human cognition.

In the so-called Age of Enlightenment, practitioners had the luxury of largely surrounding themselves with like-minded types, and ignoring those who still relied primarily on non-rational thinking. These days we have much more persistent, pervasive, and rhetorically aggressive sources of information, which constantly remind us of the prevalence of superstition.

Michael Wojcik Silver badge

It's almost as if people buy first editions for some reason other than the content.

Radio nerd who sipped NHS pager messages then streamed them via webcam may have committed a crime

Michael Wojcik Silver badge

Not true for many years it was, and probably still is, illegal to monitor cellular radio transmissions.

Since 1986. That was when it first became illegal to receive any type of wireless transmission in the US.

Importing equipment capable of tuning the cellular bands was illegal

That came later, in 1993, per the same source.

Of course, tu quoque, this does not make the UK situation any better.

Belgian city slurps mobile data to track visitors

Michael Wojcik Silver badge

Re: She has a sister

I think "just about always" is incorrect. Certainly it rarely does when "between" is used as a preposition to refer to physical space, as in "put it between the table and the chair".

In this case, it's plausible that "between" was being used in its alternate sense of "with the combination of A and B", as in "between you and me", or "between the Ukraine scandal and Guiliani's accidental disclosures, there's plenty to warrant an investigation". In that usage there's no interval implied, but a pair of contributing entities.

Michael Wojcik Silver badge

Re: With enough controls

Oh, are we playing "spot the technocrat"?

I can think of few pressing political problems that can be remedied primarily by supplying more data, and even fewer that are likely to be.

Michael Wojcik Silver badge

Re: Spanish citizens have been assured the data will be anonymous and aggregated

Yes. There's considerable research into de-anonymization, and it is successful to a much greater extent than people (even people with database experience) generally expect.

Open wide, very wide: Xerox considers buying HP. Yes, the HP that is more than three times its market cap

Michael Wojcik Silver badge

Re: Only in the business world

even if I had $80000, I don't think my banker would loan me $200000 to buy a $280000 house. Not at my age and not on my salary.

Really? In the US (in the areas where you can find a house for $280000), you'd have banks falling over one another for that mortgage. Assuming you can make the payments, which at around $1220/month are low for most US homebuyers, and better than renting for most markets (by population).

Both of my houses happen to be significantly cheaper than that, but I've cleverly arranged to live in places where good homes are available at far under the national average.

Michael Wojcik Silver badge

Re: Two semi-marginal companies

CA doesn't want to be in the physical-things business. But now that it's a subsidiary of Broadcom what it wants is likely moot.

This news article about the full public release of OpenAI's 'dangerous' GPT-2 model was part written by GPT-2

Michael Wojcik Silver badge

Re: How much wood could a woodchuck chuck if a woodchuck could chuck wood?

started WoodChuck with some initial ideas about how woodchuck-shaped objects could be made

Venture capitalists: We have our next unicorn.

Remember the Uber self-driving car that killed a woman crossing the street? The AI had no clue about jaywalkers

Michael Wojcik Silver badge

Re: Surely

It'd be miserable riding in such an autonomous vehicle through rural Colorado. Besides the tumbleweeds (which like to spring out from the ditch right in front of you), in the colder weather flocks of small birds will often settle on the edges of the road, presumably for the warmth. They take off as you approach, right into the path of the car. I've accidentally hit a couple over the years despite my best efforts.

Michael Wojcik Silver badge

Re: Surely

An ML-based classification algorithm might use a static model, or it might be able to update its model. Both designs are possible. I have no idea if Uber's system at the time enabled continuous learning.

In this case, updating its model during this event would very likely not have been useful. Updating its model from prior similar events might have been - that is, the model could have been updated to recognize pedestrians crossing outside marked crosswalks, at least as objects likely to move into the vehicle's path even if not correctly tagged as pedestrians.

In any case, the term "Artificial Intelligence" is sufficiently broadly used to include all sorts of things, the attempts of marketers, sensationalists, and curmudgeons to pin its meaning down notwithstanding. (As always, there are plenty of Reg commenters who insist "AI" means some specific thing, generally not any of the things it's commonly used for. Sorry, kids; you don't own the term.) So there's little point in wondering whether "AI" implies some particular capability.

"Machine Learning" is a bit more specific, but still encompasses a huge range of approaches, architectures, algorithms, and implementations. And this is an extremely active area of research, with thousands of significant new papers every year.

Michael Wojcik Silver badge

Re: Surely

the term was invented [by] US car manufacturers

It was promoted by auto manufacturers, but I find no evidence that it was coined by them. This article, for example, does not indicate any such origin in the first three known appearances of the term. It seems more likely to be a popular neologism.

Michael Wojcik Silver badge

Re: Surely

If you're a driver be careful of children riding Shetland ponies, they may be closer than you think!

Really, this is good advice even if you're not a driver.

Michael Wojcik Silver badge

Re: Surely

The deer sprang off but the bambi slipped. I had no time to brake so I drove the car into a ditch.

It's a tough choice, assuming you even spot it in time and have the presence of mind to make a conscious decision. Around here, where deer are the second or third most common cause of vehicular accidents (impairment is first; the statistics I've seen were from several years ago, and distraction may now have passed deer), the authorities and insurance companies frequently tell people not to swerve, just brake if possible and stay on the road, on the grounds that swerving is statistically more dangerous to the driver and passengers than hitting a deer.

I've never hit a deer with any of my cars, though I've had close calls, and once was hit by a deer. It jumped out from the woods into the side of the car. I wasn't going sideways, so that puts the deer entirely at fault. (Also I had the right of way. And it wasn't licensed or registered to operate on the public roads. Deer have little respect for the law.)

Michael Wojcik Silver badge

Re: Surely

My wife has seen them on the offramp

I was driving on Interstate 96 near Lansing, MI a couple of years ago. It was around 1 AM and snowing gently - typical mid-Michigan snow, big fluffy flakes spiraling down like something in a movie. Not yet accumulating on the road, so I was doing something close to the posted limit of 70 MPH; I-96 is a limited-access four-lane highway. The road was nearly deserted; I'd passed a semi a mile or two back, and there weren't any other vehicles in sight at the moment.

I'd been driving for about 14 hours, coming from Kansas.

If you've driven in snow showers at night, you know what it looks like - the hypnotic effect of flakes catching the light from the headlights and spinning past, while the segments of the dashed lane-separator line click by on the road. Flakes, dash, flakes, dash, flakes, deer standing in the left lane close enough that I could have slapped it had I stuck my arm out the window, dash, flakes, ...

By the time the headlights lit up the deer, I was maybe a car length away. I was just lucky it stood still. That truck I'd passed a little way back? Who knows. There wasn't any way to warn him about it.

I did swear vigorously for a few minutes, though. That helped.

And that's not the only time I've driven past a deer standing in the road on a highway at night.

Chrome OS: Yo dawg, I heard you like desktops so we put a workspace in your workspace

Michael Wojcik Silver badge

Re: GEM ? 1980s ?

OS/2 only got virtual desktops with Warp in '96.

Never used GEM, but according to Wikipedia GEM/2 was a tiling (no overlapping windows) GUI, with two fixed windows. That's not the same as virtual desktops. (There were a number of tiling GUIs in the '80s, such as the Cambridge Window Manager for X11, part of the Project Athena collection. They never caught on.)

Apparently GEM/XM, from the mid-80s, did let you flip between multiple GEM and DOS applications and change which ones had screen real estate, so that was more or less a virtual-desktop system.

Michael Wojcik Silver badge

Re: Really ?

even poor old Windows finally got them 4 years ago

Long before that, actually. There were virtual-desktop utilities for XP, and you could do it way back in NT 4 (and I believe in NT 3) if you wanted to write the Desktop-switching code yourself.

Michael Wojcik Silver badge

Re: Linux for the win

With X11, there is no "mouse interface native the unix os", assuming by "interface" you mean "consistent way of interpreting input from the mouse". Mouse events are handled and interpreted by the X11 client that currently has pointer focus - that can be the window manager or an application (or potentially the X11 root window, though in practice essentially everyone runs a window manager that intercepts events to the root window).

Mouse behaviors for applications are thus up to the application itself. Where you get consistent behavior, it's because applications are using toolkits (SDKs or frameworks) which implement that behavior, often using hints from the window manager, or in today's overengineered X11 world, some other component.

You could write a window manager that intercepts all mouse events, translates them as you prefer, and then forwards them to the window with pointer focus. That would have seemed an amusing exercise when I was 20; now it doesn't appeal, personally. I'd just suck it up and use the default behaviors.

Of course that's assuming you're using X11. I have no interest in Wayland and no idea how it works. X11 was good enough for me in the '80s, and it's good enough now.

Michael Wojcik Silver badge

Re: *IX

Yup. I recall adding a virtual-console driver for a prototype graphics card (when running in text mode) to BSD 4.3; that was the late '80s, but as jake says the capability had been in BSD for a while.

IBM's AS/400 had two virtual consoles per physical 5250 device, and I believe that was inherited from the predecessor S/3x systems. I don't know how far back that goes, but the 5250 and its twinax physical cabling (which provided the topology that let IBM do the virtual addressing of those consoles) dates back to the S/34, in 1977.

For GUI multiple virtual desktops, X11 had this capability in principle right from the start (that is, an X11 window manager could have implemented them), but I don't recall when they first became common. I also don't remember if any of the managers shipped in the stock X11R3 distribution, for example, supported multiple virtual desktops. (X11R3 supported multiple physical displays, of course, but that's a different feature.)

To be fair, multiple virtual desktops were available in Windows as far back as XP, using an add-on such as the one in PowerTools. The necessary OS support goes back as far as NT's WinStation and Desktop abstractions; it's just Microsoft couldn't be bothered to give users access to it.

OS/2 had multiple desktops in Warp, circa 1996. Still late to the party, but a lot earlier than Win10.

From Instagram to insta-banned: Facebook wipes NSO Group workers' personal profiles amid WhatsApp hack rap

Michael Wojcik Silver badge

NSO Group were not friends of Facebook before this. They're not anyone's friends.

You'e yping i wong: macOS Catalina stops Twitter desktop app from accepting B, L, M, R, and T in passwords

Michael Wojcik Silver badge

Re: This bug probably doesn't effect everyone....

"Have you tried sex?"

"No. I hear it has a bug that effects everyone."

(I know no one will see this, but I couldn't resist.)

Imagine OLE reinvented for the web and that's 90% of Microsoft's Fluid Framework: We dig into O365 collaborative tech

Michael Wojcik Silver badge

Compound documents, eh?

What do compound documents look like in the internet era?

HTML. Next question?

And, of course, there's already a tremendous body of research, in fields such as digital rhetoric, HCI, and CSCW (Computer-Supported Cooperative Work), on breaking the monolithic-document model and replacing it with robust, stable, versioned, extensible views of common data. I know of a couple of such systems that have been in production use for years. I have to wonder how much attention Microsoft (which has often been plagued by NIH, even among its own divisions) is paying to that existing work.

Heads up from Internet of S*!# land: Best Buy's Insignia 'smart' home gear will become very dumb this Wednesday

Michael Wojcik Silver badge

Re: Is anybody surprised?

We had service bureaus and other forms of utility computing long before someone co-opted the term "cloud". Utility computing obeys the same economic forces as utility power and water. It's not going to go away, and our energies would be better spent fixing it (which will require technical, regulatory, and social corrections) than stamping our feet and thumbing our noses.

Michael Wojcik Silver badge

Re: Contact your credit card company.

I'd never seen "avec" used as a noun in English before (and, yeah, I'm not a fan of it either), but interestingly Wiktionary claims that it's used as a noun in Finnish, apparently as a synonym for "date" (I assume in the sense of "meeting") or "company".

Michael Wojcik Silver badge

Re: Everything under control

Looks like a lot of folks missed the joke icon. Or maybe all 13 fans of 3D TV are Reg readers.

Michael Wojcik Silver badge

Re: Contact your credit card company.

when I install a switch or an outlet on the electrical circuit of my home, I expect it to work for, I don't know, 50 years?

50 years is ambitious with a lot of modern consumer electrical gear, I'm afraid. In the US, GFCI outlets are required in a number of areas of a home, and the electronics in those often die after only a decade or two. I have one in the kitchen that needs replacing which was installed in 2003. I have my doubts about the longevity of AFCI circuit-breakers, too.

Basic SPST mechanical switches often last a long time, but I've seen older ones break at the handle as the material degrades. One time I was living in a rental house and I flipped on the light in the bathroom one morning, and the Bakelite switch shattered into power. Just completely gone, down to the actual sliding contact in the switch body. And the landlord was coming by that day. I had about 45 minutes to run to the hardware store, buy a replacement switch, and install it. My roommate actually had to stall the landlord down on the first floor with some bogus story about an intermittent plumbing issue while I was reattaching the cover plate upstairs.

Michael Wojcik Silver badge

Re: We shouldn't have skipped the time when it was the Intranet of Things

For most people, that's a license plate: too complicated

Sure. We all have limited fields of expertise. But there's nothing stopping one of these firms making and selling IoT crap from producing commercial equivalents of DCFusor's gadgets, without extraneous cloud-connection and phone-home crap tacked on. A DMZ port in the home router can be manually configured by those who know how, or opened using UPnP for those who don't (and who will therefore likely have UPnP enabled).

I get the impression from comments above that some home-automation vendors do offer products more or less along these lines. (It's not an area of technology I'm interested in, so I don't pay close attention to what's available.) In any case, it's possible for vendors to offer turnkey remotely-accessible home-automation systems that don't depend on some server outside the homeowner's control (aside from the actual networking infrastructure, of course).

Michael Wojcik Silver badge

Re: We shouldn't have skipped the time when it was the Intranet of Things

You might have video cameras. You might want to look at them from across town. You might need to be able to turn the lights on to see anything.

Why doesn't the camera have its own integrated LED lighting? Cheap and trivial, and it would save me from having to control two devices, with the associated additional complexity and points of failure.

Not that I have ever desired such a thing, even with owning houses in two states (indeed, two time zones). That's what I have neighbors for.

Socket to the energy bill: 5-bed home with stupid number of power outlets leaves us asking... why?

Michael Wojcik Silver badge

Re: priorities

Of course this whole subthread, from Hans down, was a series of jokes, which I suspect is why you were downvoted; but it's true that the earlier posts were unsupported prescriptivism. Using "amount" for discrete (countable) entities is well-established usage and perfectly comprehensible to English speakers. (It's also a question of diction, not grammar.)

OneCoin lawyer trial kicks off in NY as cryptocurrency founder remains on the lam

Michael Wojcik Silver badge

Re: Earned A Precarious Living By Taking In Each Others Laundry

Except it's not a simple as that.

Right. In frauds like these, typically many of the victims are people who are not financially literate, and who have very few opportunities to leverage a small amount of capital. They may have only one opportunity in their lifetime to invest in the hope of moving from an existence of chronic or constant financial peril to one of minor comforts and a degree of financial security. That's not "greed"; it's survival.

But of course snap judgements are a staple of the omniscient Reg commentariat.

Michael Wojcik Silver badge

Re: Incorrect Reporting

Pyramid scheme, Ponzi theme [sic], Multi level marketing.

They are all the same.... Or am I wrong?

You're wrong. Ponzi schemes are not pyramid schemes. Ponzi schemes are flat, not hierarchical; the controllers pay investors leaving the pool using receipts from new investors. There's no pyramid.

MLM schemes are indeed pyramid schemes, with the addition of actual exchange (of goods, as with Amway / Alticor or Herbalife, or of real property, or of financial instruments, etc) between network members and a wider market. I'm not aware of any MLM schemes where the exchange economic activity hasn't been dwarfed by the membership economic activity, i.e. the transfers of wealth up the pyramid. I wouldn't touch them myself - at the very best they're hugely inefficient at their ostensible non-pyramid activity, and the property being marketed is often rubbish - but they're not pure pyramid schemes.

Also, all capitalist economic organizations require an influx of new participants to grow. Some are content to grow "organically" by selling something of (perceived) value to a market; some are even not particularly obsessed with growth and are comfortable more or less maintaining a consistent stream of income. But it's not the need for new participants that distinguishes pyramid schemes (including MLMs) and Ponzi schemes from non-fraudulent businesses - it's the excessive reliance on them.

Watch Waymo's totally driverless self-driving car cruise around, how the US military wants to use AI ethically, etc

Michael Wojcik Silver badge

"childlike tone"?

Tone, as a term of art in rhetoric and poetics, refers to the attitude toward the subject material implied by the work. In what way is the attitude implied by the article "childlike"?

Boffins don bad 1980s fashion to avoid being detected by object-recognizing AI cameras

Michael Wojcik Silver badge

Re: Great

The obvious solution for the AI-car-mongers, is to encourage worse human driving

All the auto manufacturers already working on that, such as by putting fucking touchscreens in front of the driver.

DoHn't believe the hype! You are being lied to by data-hungry ISPs, Mozilla warns lawmakers

Michael Wojcik Silver badge

BLOCK CAPITALS MAKE EVERYTHING TRUER.

Revealed: The new icon you'll click to download an alternative browser, and more from Microsoft

Michael Wojcik Silver badge

To be fair, I can't say I've ever been particularly impressed by an icon. It's not one of our culture's great art forms.

Antarctic researchers send an SOS to the world: Who wrote this message in a bottle?

Michael Wojcik Silver badge

"Don't open that bottle. It's probably full of malware."

Aw, bad day at your air-conditioned, somewhat clean desk? Try shifting a 40-tonne fatberg

Michael Wojcik Silver badge

Re: Other places...

Many sources, such as this one, describe fatbergs in countries other than the UK.

Besides the flushing of fats and non-disintegrating wipes, some major contributing factors appear to be the percentage of sewer capacity in use, roughness of sewer lines, and amount of calcium in the water (due to source hardness, calcium leaching from concrete, etc). The calcium reacts with saponified fats to form soap scale, just as it does in the shower, for example.

Running on Intel? If you want security, disable hyper-threading, says Linux kernel maintainer

Michael Wojcik Silver badge

Thanks. I'd forgotten the Register broke the story. (I'd only learned of it myself a week or so earlier, in an embargoed announcement by CERT. Sometimes there are benefits to being on a PSRT.)

Michael Wojcik Silver badge

Re: Quick question

This "probably" means it is exploitable via JavaScript, so, basically, you're 0wned by a web page.

If you read the original SPECTRE paper, you'll see that one of their demonstrations was indeed implemented in Javascript. Before the paper (and associated CVEs) went public, major browser manufacturers implemented mitigations for that particular attack. Subsequently other MDS issues in browser Javascript engines were pointed out, and then mitigated, over a number of iterations.

These days, it's likely difficult to mount a successful MDS attack in Javascript under a recent release of a major browser, particularly when hardware / firmware / OS mitigations against the most useful side channels are also enabled. I wouldn't rule it out, though.

Michael Wojcik Silver badge

Re: Quick question

But even if you can read someone else's bytes, actually knowing what that data represents (in someone else's application) is impossible.

The many successful MDS demonstrations, going back to the original SPECTRE paper, show that you are utterly incorrect.

So do many other untargeted-exfiltration exploits, such as Heartbleed. In fact it's often very easy to determine how to correctly interpret exfiltrated data.

When the Morris Worm came out, there was much public sentiment that Morris was some sort of wunderkind and overflowing the fingerd stack was a stroke of genius, unlikely to be reproduced any time soon. Then Levy published "Smashing the Stack for Fun and Profit" in phrack, demonstrating that it was actually quite easy to develop a stack-smashing exploit, and suddenly everyone and their basement-dwelling cousin was doing it.

Michael Wojcik Silver badge

Re: Quick question

The original Javascript SPECTRE attack might well have been a big deal had fixes not been pushed out before publication, because it would have been easy to deploy against normal users. It's a good example of responsible disclosure working as intended.

Is HONK nothing sacred HONK? It's 2019 and an evil save file can pwn much-loved HONK Untitled Goose Game

Michael Wojcik Silver badge

Re: How it might work

Well, in terms of vulnerability risk assessment, as we do for CVSS scoring, you have to look at the threat model. A couple of mitigations:

* UGG is not a common application in the same sense as, say, Microsoft Word. The target population is not enormous.

* User interaction is required, and typically some social engineering. Users don't habitually open game-save files from untrusted sources. Again that limits targets, and complicates automated or bulk exploitation.

* Users should be running with normal privileges. Of course we know that users often run with excessive privileges, but in this case the vulnerable application doesn't have any good reason to do so, unlike with some targets.

* The target doesn't have direct access to sensitive data, so an exploit has to be chained with, or followed by, at least a pivot maneuver to get anything of value. That's not an obstruction for a determined attacker but it increases the attacker's work factor to do anything useful, and so discourages casual exploitation.

I still don't know that I'd rate this as "amusing", but it probably pushes it from Critical down to High or even Medium importance, depending on the user aspects of your threat model. (In my case, since I don't have to worry about any UGG users, it doesn't matter at all.)

Michael Wojcik Silver badge

Re: How it might work

Yes. Or using an eval operation on anything else that provides it.

Michael Wojcik Silver badge

Re: How it might work

The classic presentation on the subject is "Marshalling [sic] Pickles from AppSecCali 2015. It's a good one; anyone interested in further detail on how this sort of thing is exploited in various languages and contexts might want to watch the video or at least browse the slides.

In the MITRE CWE scheme, it's CWE-502.

Michael Wojcik Silver badge

Re: Honk if you want to go faster

That's a fine sentiment, but it's pretty clear from context that Jon Postel intended the Interoperability Principle as a recommendation for the liberal interpretation of malformed data. That has frequently created security issues, as with, for example, permitting non-canonical UTF-8 sequences, which may bypass special-character blacklists but then be interpreted by parsers.

The Interoperability Principle was invaluable in promoting the spread of the Internet, TCP/IP, and many application protocols and languages (perhaps most notably HTTP and HTML). Over the past couple of decades it's increasingly become a liability.

WhatsApp slaps app hacker chaps on the rack for booby-trapped chat: NSO Group accused of illegal hacking by Facebook

Michael Wojcik Silver badge

Re: "This technology is rooted in the protection of human rights"

It was a typo for "rooting out".

Sticks and stones may break your bones but robot taunts will hurt you – in games at least

Michael Wojcik Silver badge

Easy?

It would be very easy to create systems that would annoy users

"Very easy", he says, as if the bulk of IT R&D weren't devoted to this very cause.