Posts by Michael Wojcik

I can't see why we should not use a name dating back to ancient Greek writers [continue usual whinge]

No one said "we" couldn't use the name. NASA decided in this case not to ask the IAU to approve the name "Ultima Thule" for this particular bit of rock. So fucking what?

Personally, I suspect they did it just to get a rise out of all the political-correctness-bugbear scaremongers on the Internet.

Re: I see a fork in 3...2...1...

And then they'll change root.

Re: Argh! What now?

I think that containers will evolve to end up looking a lot like virtual machines. In a few years time, the extra hardware resources required for that won't really be a problem.

Some research suggests that for many workloads, VMs are just as resource-efficient as containers.

Back In The Day, IBM's VM was happily running dozens of virtual OS instances on S/370 systems with fewer resources than a smartphone. VMs can be very lightweight. Mostly the problem is bloated OS instances, and there are techniques such as the "library OS" model which fix that.

Re: No data goes through Google's systems when you use them?

What are you on about? Docker and Kubernetes can be used anywhere. They're not tied to Google-owned hardware.

Re: Why a 3D printed gun?

people were shooting into houses in daylight

Happens all the time here in the US. We even have a term for those people: "police".

Re: Why a 3D printed gun?

I don't own a gun (but have in the past) and for the foreseeable future, won't own one either. But I understand some folks feel the need for self protection.

I don't currently own any guns myself, but my wife and I have been discussing getting a shotgun. At the Mountain Fastness, rabid skunks, feral dogs, and some other undesirable animals are all occasionally found in the area, and not long ago someone in the neighborhood had a bear rooting though their garbage.

Calling Animal Control is an option, of course; but they could take several hours to respond. A bear rooting through your trashcans may just mean a mess to clean up and some new trashcans. But if the bear decides there's food in your car - well, that doesn't turn out well for you. And sometimes bears break into houses. Happened a couple of years ago to a woman who lived in a cabin on the other side of the mountain. She happened to have a rifle to hand, and shot it dead in her front room. I doubt I'd be so successful, but in an emergency I might be able to discourage a bear with a couple of loads of shot.

Re: Boffins

Hey - the folks from Whoopie Tech get to work in beautiful Worcester, Massachusetts. (Municipal motto: "Somewhat nicer than Lowell!")

In all seriousness, I agree that it's always good to see people doing the work. (This sort of thing is pretty fun work, in my book, but that doesn't make it less important.) But I don't know that salaries at Worcester Polytechnicl are "tiny", exactly; online sources differ, but it looks like professors average around $110K, which suggests full professors in particular earn a comfortable salary. Cost of housing around Worcester isn't great but isn't as bad as Boston.

Of course graduate students are basically on subsistence pay, even with assistantships and fellowships, but that's true for all US universities.

Re: Or right if you work for some intelligence agency

You're multiplying entities needlessly. It's difficult to do constant-time big-number arithmetic correctly, and the dangers of timing side attacks for ECC were not well-documented until relatively recently. Thus it's probable that most or all of these attacks are accidental.

While well-resourced actors are likely capable of subverting the TPM development process at various OEMs, and certainly wouldn't have any qualms about doing so, these are odd backdoors to choose. They'd be better off backdooring the CPRNG, which is undetectable if done correctly. (Or putting in backdoored ECC curves, except there are users who know to insist on using standard ones.)

And as long as those actors know existing implementations are flawed, there's no reason for them to intervene and risk discovery.

Re: One way to prevent accidents

[home][delete][enter]

Bah. Esc-0-x-Enter.

This religious war was brought to you by the letters V and I.

Re: I thought that Donald 'I cheat at Golf' Trump

Actually - and while I am in no way a fan of our Village Idiot in Chief - Trump has appointed quite a few women to significant positions in his administration. He's fired a bunch of them too, of course; but then he's not been reluctant to do that to men either.

In any case, "a poor record on appointing women" is one criticism of the Orange Megalomaniac that probably isn't fair. Appointing competent, reasonable women ... well, again, it's not noticeably worse than his record with men.

Yes, and perhaps they've captured a Magic Decryption Fairy.

Many people have looked at Dharma. Even people who can write competent English prose, which apparently is a skill not available at Fast Data Recovery. (What are they doing with the profits from their many successful recovery cases?)

It is much, much more likely that this is simply another iteration of the ransomware middleman scam.

Re: "Negotiating with the ransomware author"

They may be, or be affiliated with, the ransomware author; or they may be an independent third party. Both are viable business models. The former offers greater profit, but requires more work and entails greater risk. The latter has a much lower cost of entry.

Re: Visual Studio != Visual Studio Code

I'm not looking at it because I hate IDEs. I've been using IDEs on everything from PCs to mainframes since the 1980s, and I've yet to see one that comes close to the power of a good set of dedicated tools running under a competent shell.

JFTR, I did take a look at VS Code. It's better than Original Formula Visual Studio, but that's a mighty low bar. I didn't care for it.

Re: "rural types come from a very "independent" mindset"

Regardless, most of the proudest "self-reliant" types are in fact very reliant on government assistance. Some of it's direct; most of it is indirect. But in either case it's bullshit.

Re: "Her computer"?

Without help from (someone in) the IT department???

Certainly conceivable. It's not difficult. Parents put spyware on their kids' machines all the time. Abusers do it to spouses and other victims. It's trivial for someone to purchase spyware and get instructions on how to install it. There are plenty of vectors for non-privileged attackers to do so, such as social engineering and hardware keystroke loggers.

Or, if Schrader's suspicions are correct, Porter could have co-opted someone in the IT department. Or someone with the requisite skills to gain unauthorized access in the Gwinnett County Superior Court network, which I bet is not tremendously secure.

But conversely there's plenty of reason to be suspicious of the IT department in this situation, even if you have some reason to believe that they'd be at all useful in finding spyware in the first place.

Re: Nuance

I agree; but in a fight between a judge and a DA, you have to expect that legal weapons, however inappropriate, will be deployed.

It may be worth noting that according to various sources Schrader was suspended specifically for (indirectly) giving a felon access to the court IT system - not for letting someone run Wireshark. As I wrote in another post, I believe her real mistake was in employing Ward, who clearly wasn't sufficiently careful in choosing his subcontractors.

Or if one or more IT staff members were colluding with Porter. Some of the commentators here seem to have a peculiar belief in the trustworthiness, not to mention competence, of the IT staff at the Gwinnett County Superior Court.

Personally, I suspect asking the Gwinnett County IT to look for spyware on a machine is likely an exercise in futility. Just a guess based on my experience with IT departments of other public institutions.

Schrader's real error, in my opinion, was in hiring Ward, who apparently wasn't diligent or wise enough to avoid hiring Kramer. Kramer is the real source of the defendants' troubles here.

Re: Nuance

Even if the network is hub-based and the NICs were in promiscuous mode, I'd consider this a case of overhearing rather than spying. If the court's IT department can't secure their network properly, that's their fault, not the judge's or the investigators'.

Circa 2002, I moved house and got cable Internet service. I was investigating a problem with my work VPN and had done some tcpdump tracing on a machine connected directly to the cable modem. I was talking with a network engineer about some of the traffic I was seeing, and he got all bent out of shape: "You can't look at packets on my network!".

Well, as it happens, I can. If you don't want me to, don't send them to my device, buddy.

Fortunately that cable company went bankrupt and was bought by one that employed adults.

For any non-trivial task, if you rely exclusively on one tool you're almost certainly "doing it wrong". This is a facile observation and not a meaningful objection to CVSS.

Re: A threat centric approach

That may be true, but it says nothing about whether their predictive model is a useful tool, much less whether the approach in general can be useful.

Re: The logical next step is the two-dimensional risk rating approach

CVSSv3 also incorporates a base, temporal, and environmental score. Most outlets don't do a good job of reporting or explaining those.

While publishing the vector isn't useful for human readers (that's not the intended audience), there's nothing to stop someone from providing a concise text explanation.

CVE-2019-xxxx has a CVSSv3 base score of 10 (over the network, easy to attack, no privilege required, no user interaction required; high risk to confidentiality, integrity, and availability).

Obviously there's still some jargon, or at least terms of art, in that, but you don't have to be an IT security expert to understand it.

You left off the temporal and environmental scores in your example vector, so explaining those in plain language is left as an exercise for the reader.

It's all very well for Rogers to say we need a different scoring system and representation, but CVSSv3 does incorporate a threat model, and considering combinations of vulnerabilities quickly falls foul of combinatorial explosion. While he raises some good points, and while theoretical speculation is useful, it won't get us very far until someone has a concrete proposal. I'd say that CVSSv3 does a good job at the function it's intended to perform; that function is valuable; and interpreting combinations of vulnerabilities under richer threat models is the job of human experts, not a mechanical scoring system.

Re: Darwin is still a very naughty boy ...

It seems to me that there has been a huge row-back on the ideas of the Age of Enlightenment in recent years

I believe more careful study of the history of ideas will show that's merely perception. Modern scientific epistemology has never been broadly popular, and actually is difficult even for its practitioners to sustain. Humans are not evolved to be consistently and thoroughly rational. It's not feasible given the resource constraints and speed of conscious human cognition.

In the so-called Age of Enlightenment, practitioners had the luxury of largely surrounding themselves with like-minded types, and ignoring those who still relied primarily on non-rational thinking. These days we have much more persistent, pervasive, and rhetorically aggressive sources of information, which constantly remind us of the prevalence of superstition.

It's almost as if people buy first editions for some reason other than the content.

Re: With enough controls

Oh, are we playing "spot the technocrat"?

I can think of few pressing political problems that can be remedied primarily by supplying more data, and even fewer that are likely to be.

Re: Spanish citizens have been assured the data will be anonymous and aggregated

Yes. There's considerable research into de-anonymization, and it is successful to a much greater extent than people (even people with database experience) generally expect.

Re: Two semi-marginal companies

CA doesn't want to be in the physical-things business. But now that it's a subsidiary of Broadcom what it wants is likely moot.

Re: Surely

An ML-based classification algorithm might use a static model, or it might be able to update its model. Both designs are possible. I have no idea if Uber's system at the time enabled continuous learning.

In this case, updating its model during this event would very likely not have been useful. Updating its model from prior similar events might have been - that is, the model could have been updated to recognize pedestrians crossing outside marked crosswalks, at least as objects likely to move into the vehicle's path even if not correctly tagged as pedestrians.

In any case, the term "Artificial Intelligence" is sufficiently broadly used to include all sorts of things, the attempts of marketers, sensationalists, and curmudgeons to pin its meaning down notwithstanding. (As always, there are plenty of Reg commenters who insist "AI" means some specific thing, generally not any of the things it's commonly used for. Sorry, kids; you don't own the term.) So there's little point in wondering whether "AI" implies some particular capability.

"Machine Learning" is a bit more specific, but still encompasses a huge range of approaches, architectures, algorithms, and implementations. And this is an extremely active area of research, with thousands of significant new papers every year.