Posts by Michael Wojcik 12268 publicly visible posts • joined 21 Dec 2007
I'd say he does two: ninny out of his depth in a situation that any normal competent person ought to be able to handle, and action idiot performing absurd and pointless stunts in a ridiculous situation. I'm not sure which is less believable or more annoying.
(I confess I have not seen any of the films in which his performance has been praised by critics of some taste and discernment, such as Magnolia. There may be some gems in that pile of crap.)
Frankly, jake, that's a load of crap. By that standard, no primary research is "an actual new invention". And the most important novel aspect of Spanner is its handling of time skew, which is in no way anticipated by Paxos. (And, by the way, I'm very familiar with Paxos and its many variants.)
Google havent invented anything for at least a decade
Bullshit. I'm not a fan of Google, but they do considerable primary and applied research. The 2012 version of Spanner had novel features, particularly in its handling of time skew. The same can be said of Percolator. Google's SHA1-collision research was significant. Google researchers have made a lot of contributions to ANNs. They've done some QC work which is potentially useful, if we ever reach the point of having commercially viable QCs (I'm not holding my breath). And so on. Google has produced a lot of tech for large datacenters, as should be obvious.
Google researchers have published nearly 500 papers so far in 2019.
This information is all readily available. While I imagine you and the other knee-jerk Google-bashers would rather revel in your ignorance, the fact is that Google funds quite a lot of R&D.
Let's attack Google for its actual sins, not the faults we imagine, eh?
Agreed. It is vitally important that the rights of the guilty be protected as well. While societies recognize a reason and justification for curtailing those rights (e.g. by incarceration), if that becomes an excuse to disregard those rights completely, you no longer have a civilization worthy of the name.
If there was any dirty dealing, they'll find it
A dubious and unprovable proposition. Yes, often the SEC do identify insider trading, partly because the people who do it are often idiots with abysmal OPSEC. But we don't know how many instances they miss, because when people get away with it, it looks like normal trading. It's not like property theft where there's an unexplained absence of the property to serve as proxy evidence of the crime.
Personally, I suspect Byrne was not involved in any stock-price-manipulation scheme here; it's too clumsy. I think he's genuinely deluded. But that's just a guess.
"Black Wednesday" was some four years before the euro was even announced
Well, three-and-a-third (BW September '92, euro name announced December '95). And the idea of the euro, i.e. of European monetary unification, is in Maastricht, which was signed in February '92.
But, yeah, Black Wednesday had nothing to do with the decision not to adopt the euro.
Even the first gen RIB (before RILOE I and II which came before ILO) did a proper power-off.
RIB and RILOE were proprietary Compaq (and later HP) technologies. iLO is proprietary HPE. Not all NT4 servers were made by Compaq.
iDRAC is proprietary Dell, and I don't believe it was available in the days of NT4.
So what's your point?
The traditional conservative outlook is 'I'm getting on with my life, your business is none of my business when it doesn't affect me'
A lovely idea, but it has nothing to do with "conservative" as it applies to Ohio. This is the state that gave us Simon Leis, after all; and that was in Hamilton County (Cincinnati), generally one of the less-reactionary parts of Ohio. The state with the infamous abusive mayor's courts. A state that went to much trouble to purge voter roles of voters the incumbents deemed undesirable, using the despicable "use it or lose it" tactic, and engaged in other voter suppression such as the notorious HB 194.
Oh, NSO Group are a horrible bunch. They've appeared in numerous stories and reports from organizations such as Citizen Lab over the past few years.
But it's not like the Israelis have a monopoly on this sort of thing. Cellebrite, who claim to be able to unlock any iPhone and sell that tech to police, are also Israeli. But the US has Palantir, Italy has Hacking Team, and so on. There are plenty of these commercial bad actors in the IT security space who make surveillance tools for governments, and who display an impressive lack of ethics.
I was a little surprised to be taken on a tour of the architectural highlights of Hull, and not to be taken to see a town hall, or a church, or similar though.
Were you taken to see new construction? According to the spam my email filter catches daily, there are many exciting real-estate investment opportunities in Hull. (Why Hull? Is it the phosphorescent waterfowl?)
I was on holiday on Lake Michigan last week, and from there, it doesn't appear Britain has any lakes at all. Just some moderately large ponds. (Little Traverse Bay, where I spent most of my time, has three times the surface area of Windermere, and it's not even a particularly prominent feature of Lake Michigan.)
But as a longtime Ransome reader (and occasional scholar), I'll grant that little lakes can be deserving of the title too. Ditto meres and tarns and broads and waters and the rest.
I have to agree. For foreign tourists who want to do the Lake District main tourist traps just to say they've done them, I suppose Windermere must get a quick look, just like the Potter cottage and the rest of that sort of thing. But you get a much more pleasant experience almost anywhere else.
I remember once spending a nice hour or so with my folks just poking about the ruins on Hardknott Pass, which we'd taken because it looked like an entertaining route between wherever we were and wherever we were going. Hardly saw another soul the whole time. This was some decades ago, and maybe things are more crowded there now; but I bet it's still a lot better than the LP's picks.
So, facial recognition introduces 'reasonable doubt' into its findings.
Wrong. Reasonable doubt is inferred by juries. It's not implied by anything in the evidence. It's an attribute of interpretation, not of data.
You can claim that facial recognition should lead juries to infer a degree of reasonable doubt, but there's no guarantee that any given juror will see it that way.
I'm really happy with that because it means that I won't be arrested, tried and convicted for a crime that I have no knowledge of just because an algorithm said so.
I find your abundance of faith disturbing.
Being attached to the front of the officer, it's not always in a good position to capture what's going on
And sometimes at a critical moment, leading to a frustrating and controversial gap in the record. That's what happened in the Deven Guilford case, where bodycam footage showed him arguing with the officer, getting hit with the officer's stun gun, and charging the officer; but not the subsequent fatal shooting.
In that case the officer involved was not charged by the investigating DA, but I believe the wrongful-death suit is still pending. If that goes to trial it will be up to a jury, and the bodycam footage can reasonably be interpreted either way.
It does need to be regulated, yes
Having the video (with an integrity mechanism) go to a third party rather than the police themselves might help, in theory. But it's hard to see how you'd prevent that third party from being coopted by one or more of several interested parties (the police, intelligence agencies, criminal organizations, gossip mongers, ...).
Intel have long shipped drivers with lousy, low-quality code. It's clearly an organization that does not care about this aspect of its products. The initial code is shoddy; then under sufficient pressure (complaints from big customers, threat of vulnerability disclosure) they'll make an update available, but leave it to system and OS vendors to push it to customers.
And I agree with Dan 55 - their website is rubbish.
Should I ever buy another PC, I'm going with AMD. I've had it with Intel.
Cloudflare's Evan Johnson has a good explanation of what Capital One did wrong, and is of the opinion that this kind of problem is difficult to detect and prevent, and that AWS doesn't do enough to help customers secure their systems against it.
It's interesting to note that the underlying issue was an SSRF vulnerability in a security component - the WAF module. So the Capital One admins had gone to some effort to secure their site using well-known mechanisms, but missed an inobvious vulnerability in a firewall configuration. This is rather different to, say, the Suprema breach, which was straightforward incompetence on the part of the admins; or the now-commonplace "we didn't secure our S3 buckets" failure mode.
Agreed. Also the insanity defense is rarely successful even when a defendant meets the criteria.
In this case, while I agree Thompson is almost certainly not in good mental health and needs (and deserves) treatment, I think it's also clear that by the current legal standard in the US she's fit to stand trial and receive punishment, including fines and incarceration. Whether the punishment she potentially faces, or whatever she actually ends up receiving, is appropriate and proportional is another question. But unlike some of the people tried for hacking, she appears to have done actual harm.
For the record, I (like many people in the US) think the statutory punishments for many crimes in the US are grossly excessive; that the US incarceration epidemic is one of our great national disgraces; and that "tough on crime" politicians and their cronies are foolish or immoral. But that doesn't mean that people who knowingly do wrong should suffer no consequences simply because they're somewhat emotionally unbalanced. Plenty of other people in that situation don't go around committing crimes.
I'd be interested to know whether she ever sought treatment for her mental-health issues. She apparently has been unemployed for nearly three years (which I'm sure takes its toll), but was often employed since 2005, and presumably would have had health insurance during those periods. Did she take advantage of it? Far too many people don't.
A question to those in the security industry - is this normal?
It's a perverse question. There isn't any "normal" in this area for IT security firms (or security BUs within IT firms, etc). There's too much variation for there to be a meaningful single cluster of "normal" practice.
In my experience, IT security vendors mostly fall into one of two categories. There are those which make an effort to have adequate broad IT-security knowledge, so they devote some resources to hiring and training employees in IT security in general. These are the ones you see sending developers and other technical staff - not just sales and marketing - to security conferences. You see their employees writing and presenting for IT security organizations like ISSA. There's some external sign that they have people doing security research.
The other category are vendors that are only concerned with selling products in some narrow category. They may have some genuine expertise in that area (or they may be selling snake oil), but they often show a bewildering lack of basic security knowledge elsewhere. That generally means their products are rubbish, of course, because they either don't have people who understand security engineering, or they don't listen to those people if they do. And it generally means that they have poor security practices elsewhere, as in this case.
Well, it's hard to tell, because we don't know how many data stores quietly get their security improved after a breach elsewhere is published, and consequently are never breached. While we continue to see examples of massive breaches due to gross incompetence, we don't know how large the pool of insecure but not-publicly-reported sources is, and whether a significant number of sources have been taken out of the pool.
It's entirely possible that for every Suprema or First American there are a dozen firms which see the public disclosure, realize they're in a similar boat, and silently fix the problem before it becomes public. There's no way for us to know. Have they already been quietly breached by non-publishing attackers (criminals, intelligence organizations1, etc) before remediating the problem? No way to know that either.
The rate of massive breaches isn't getting better. The population of still-vulnerable targets might be getting smaller. Or it might be growing, as more firms move data to public clouds or otherwise increase their attack surfaces without due diligence. But I can't think of any way to measure that, directly or indirectly. The breach rate isn't a well-correlated proxy because there are too many variables.
1Arguably a redundant formulation.
HTTP/1.1 is a badly stovepiped protocol - but then most communications protocols are, because protocol design is difficult. Also, new protocols have to be relatively uncomplicated to get traction, which inevitably means that if they become popular they'll see new use cases and feature creep which complicate the original design.
HTTP/2, on the other hand, is a ghastly mess from the ground up. It was rushed through the IETF to jump on a Google bandwagon (or, if you prefer, to try to pull the standardization reins on a runaway Google horse). I followed some of the HTTPbis mailing list discussions for a while, but they were too depressing to continue with. All other concerns sacrificed on the alter of pushing more "content". It's almost enough to make me miss SNA.
Nor is TCP "the transport layer" or IP "the network layer".
The OSI model does not fit TCP/IP well. It doesn't fit anything well, except rump OSI implementations such as ISODE.
More importantly, if a reader doesn't know what HTTP/2 is, the sort of handwaving gloss that's used in the article will be no help whatsoever. It's neither correct nor usefully incorrect.
Yes, good luck updating drivers. I have a Dell laptop that's two years old, and has one of the Intel network drivers with the idiotic bug that causes it to log a pointless message to the Windows event log every minute. Intel apparently fixed that years ago (and, obviously, it should never have shipped the thing in the first place, but then Intel is no better than most OEMs at quality control), but Dell still hasn't made the updated driver available for this machine. It's also not available through Intel or Microsoft.
The fact is most OEMs and system vendors can't be bothered to make updated drivers available, at least in any consistent fashion.
It certainly was designed to be, but Bill had them remove this feature
Rubbish. Multiuser support may have been removed from userland in non-server versions of Windows, but it most definitely remains in the kernel. All NT versions support multiple WinStations, Sessions, and Desktops, and every thread has a security token which identifies what user account it's running as.
What Citrix added was userland support for making use of those multiple WinStations, Sessions, and Desktops. RDP does something similar, as does Fast User Switching.
While Windows (even the server versions) is not particularly good at supporting multiple simultaneous users - certainly not nearly as good as pretty much any other multiuser OS - that's not because some feature was removed from the kernel.
not without using a browser exploit first anyway
Well, problem solved! Or not. (Of course, with many users running browsers with elevated privileges in the first place, once that browser exploit is available there's no need to elevate.)
In any case, this "the attacker has to be able to run unprivileged code first" mitigation is not nearly as useful as some people seem to think. It provides no defense against insider attacks. It provides none against social engineering. Against malware in the software supply chain. And so on.
Shame they dissolved the Trustworthy Computing Initiative team before they ran a modern source code vulnerability scanner over ALL the code that goes into shipping versions of windows
Yes. Such as Microsoft's own static-analysis scanner, which is a near-state-of-the-art hybrid of simulated execution and symbolic analysis. (There was a good paper on it from Microsoft Research in CACM a few years back.) Data tainting and data flow analysis find this sort of thing easily in cases like this, where, as Ormandy wrote, there's simply no validation.
They have the technology. They have the resources. They just don't have the will.
So, RFC 7838 explains (implicitly) how this is different from a simple HTTP redirect. It's transparent to the client. It's transparent to TLS - the alternative service has to provide a certificate that's valid for the original origin server. It's transparent to the request - the Host header doesn't change, for example.
What it doesn't say is why. Why is any of that desirable? The ostensible aims of Alternative Services, as explicitly detailed in the RFC, are all satisfied by HTTP redirects. (For that matter, some of them are satisfied by reverse proxies for many use cases, or by periodically terminating persistent connections and forcing clients to reconnect, the overhead of which amortized over many requests is negligible.)
I haven't tried to trawl through the discussion archives for the I-D to figure out what justification the authors1 came up with for this. Anyone know offhand?
1Incidentally, and while I don't mind the Google-bashing above (which is well-deserved in general; QUIC and the like are a pox), the authors of 7838 are from Akamai, Mozilla, and greenbytes. (The last, of course, is Julian Reschke, author of a number of HTTP features.) So usual suspects, in other words, but not directly the usual suspects of Google.
In particular, it's trivial to inject Javascript malware into an HTTP connection. People who run NoScript and the like have some defense against that, but for most users it's a gimme. Everybody using unencrypted WiFi at a coffeeshop or the like is an easy target. Attackers can run cryptomining or try popular CSRF targets, etc.
EV certs are dead, since Chrome and Safari stopped displaying them, because users ignored them
Possibly overly optimistic. While browser manufacturers scorn EV certs, the CA/BF loves them. Their Code Signing Working Group mandated EV certs for code signing (as if that wouldn't be a fucking nightmare) in their draft spec, and - as some may remember - Microsoft briefly adopted that position, before backing down in the face of ISVs waving torches and pitchforks. It wouldn't surprise me if the CA/BF keeps pushing EV certificates for years to come, even with the browsers ignoring the distinction. And they'll try to wedge them into more non-TLS applications.
I agree that EV certificates are largely pointless - the additional cost doesn't buy much, considering that CAs have a record of not performing the additional verification properly (or at all, in some cases), and the HSM requirement for key management is not universally enforced and was poorly written in the first place. (FIPS 140-2 L2 security on the HSM isn't worth a damn, and prevents people from using inexpensive hardware with open-source drivers.) But CAs and the CA/BF will try to find ways to keep the EV cash cow alive for a while yet.
In a sense, the only half is authentication - if you can't authenticate, the encryption is useless because you may simply be talking to a MITM or other ne'er-do-well.
For that matter, now that RSA is deprecated for key exchange by pretty much everyone, and the world is shifting to ECDH and other Kx protocols with forward secrecy, X.509 certificates often don't play any part in encryption regardless. In modern TLS (which is not the only, but by far the most common, use of X.509) certificates are primarily for authentication.
There are other problems with these "partial password" schemes. They're really not a good idea.
It is when you're trying to teach Joe Stupid to extend the functionality of their office suite when things need to get done that the suite foesn't do out of the box.
I'm not sure what "things [that] need to get done" in an office suite are best done with a moderately-obscure1 LISP variant with turtle graphics.
VBA may be (is) absymal, but Logo is really not a good choice as an alternative. I don't see any good justification for including the package in LO.
1And, yes, I've used Logo. Had a copy of DR Logo for the IBM PC back in the day.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
