Posts by Nick Ryan 3756 publicly visible posts • joined 10 Apr 2007
The code written on them won't, as it's usually written by the typical modern developer who has no clue about security, accessibility or anything long term let alone error handling. However the devices themselves, and the libraries built into them, do try to apply the correct checks. Of course, baking an HTTPS stack into firmware has disadvantages if done badly or when standards change, therefore there will always be churn for this reason if nothing else.
Unfortunately if the only solution is CRLs and not certificate expiry dates then as time goes by the CRL will become so large that it will cease to be viable. Therefore expiry dates are a fair solution to things.
As for the cert providers "valuable" service in doing not very much other than processing invoices... yep. It's infuriating the price gouging that went on and is still largely going on.
Most of the in-car sat nav devices built into cars are obsolete and out of date by the time the car leaves the production line. These are rarely, if ever, even given map updates leading to the almost humorour situation of being told to take the 2rd exit at the next roundabout in 50 yards while driving down a dual carriageway at 70 mph.
I remember the pleasure of not having to spend more CPU cycles juggling a pitiful number of limited registers around rather than do anything constructive with the CPU cycles. To "fix" this, they just added more and more complicated instructions that after glaring at them for a while, holding the documentation sideways and waving a dead chicken at I'm often at a loss as to why some of them exist other than the very occasional edge case.
It's made more complicated because in order to handle to ridiculously complicated and often edge-case instructions cobbled into the extended x86 instruction set, both AMD and Intel implemented much of it using a simplified RISC instruction set underneath. Much easier to validate this and to performance tweak it.
It's even worse when a networked printer is turned off for a while, then reconnected and Windows will identify it as a "new device" and install a new ****ing printer driver and printer reference in Windows, while retaining the old one. Now... is the working printer "Printer (2)", "Printer (3)" or has it reverted back to "Pritner" today? FFS.
Somehow I've even managed to get an old printer stuck and unremovable in the list of printers as well. OK, I could probably go on a hunt-kill in the registry but that's a bit tedious.
The problems stem from the origins of Windows and how Microsoft have refused to improve anything much on the application management front other than make the entire thing an even worse spaghetti mess than it was before...
Microsoft Windows originated as a single user, wholly trusted non-networked windowing environment. From the start, there was no concept of even remotely effective library management, and definitely no concept of secure library management but this is almost forgiveable at this point in time.
As time progressed PCs became networked, although Microsoft tried to fight this as much as possible until the were forced to because otherwise the potential for centralised identity management and the server infrastructures would disappear outside of Microsoft's remit. There was still no concept of local user security though and any user had complete access to the system, the only things secured were server based. Library management and application management was still a mess, with a horror mess of mixed application code, data and configuration settings.
With 32 bit Windows Microsoft had an opportinty to separate data from application code and to enforce some basic level of user access management and to add library management. Naturally, they didn't and Microsoft's applications still to this day store data files in the program files path. As for a safe way to update applications? Nope, not present either. Along the way Microsoft intentionally commingled their applications with Operating Systems in order to maintain application as well as operating system monopolies - this really didn't help security either.
Security is something that is very hard to retrofit; it really must be built in from the start. Microsoft has done an appalling job of transitioning to better security, although it does have to be considered that backwards compatibility is important too. Applications and their data should be entirely, 100% separate from the Operating System that happens to be hosting them. Things get complicated when it comes to applications used by multiple users on a system, as in is the application available to all users on the system, some, or just one? The same goes for the application's configuration files and for any data that it may require or generate. None of these are unsurmountable but even now are neither defined nor catered for at the Operating System level, everything is some kind of bodge, kludge or work around.
...and as for code signing? It does nothing more than indicate that the author paid for a certificate and signed the resultant code. It specifically does not gaurantee that the application does or does not do anything in particular, malicious or not.
There is absolutely nothing of value on that hate filled trash site. Occasionally I click a link and accidently wind up on it and I'm never not appalled by what I see. It's all about rabble rousing, blaming others (doesn't matter who, as long as it's "others" - standard right wing hate propaganda) while pandering to bitter old people about how things were "better in the past" and the awful awful, sexualisation of women and girls while the rest of the content in it is the sexualusation of women and girls...
It's to the point that whenever I see somebody reading the print version I immediately think "racist" in my mind. That's not a constructive or nice generalisation to wind up making about people that I don't know but, given the content which is so insiduous and repetitive (brain washing, in effect) and the comments from those that read it, unfortunately inevitable.
Before the easy availibity of benchmarking software we used to test a system's performace by playing solitaire on it. This was both for the general feel of drag and drop but the key test was the animation upon completion (which on particularly crappy systems would jerk very badly and glitch).
I don't know how original this completion animation was at the time (probably reasonably so) but it's interesting to see the same animation being played out in many modern versions of solitaire both on PCs and on mobile devices.
I always felt that it would have been much more sensible to clear up the naming conventions to something like INT8 and UINT8, INT16 and UINT16 and so on rather than having to remember arbitrary, inconsistent namings for the pair of them and to reserve the likes of INT or UINT for when one really didn't care about the size but wanted the compiler to pick the most efficient for the target system (which could be a hazardous assumption of course).
The thing that really annoyed me was Wirth's indescribable desire to move to a single pass compilation process. This caused no end of dead chicken waving to get otherwise simple things working.
I've had developers who just disabled all the warnings and hints. This was reflected in the final code performance and reliability.
On the other hand, I've had sections where due to bugs in the compiler it generated false warnings. Annoying to have to try and restructure an entire code block to work around a buggy warning, but at least turning warnings off and back on again was possible.
Agreed, it's staggering how because there didn't seem to be the equivalent of StackExchange "solutions" to a problem that something as simple as type casting in Pascal was deemed impossible (OK, some of the early academic versions never touched anything low level but . I did plenty of binary input processing in Pascal, it took a little effort but in the end was a very stable way of processing the data and depending on the situation, sometimes unions, sometimes just a few different defined classes were all that was required. With the various different classes all it took was a cast to the appropriate type and the data came out natively.
After the current typical failure of the UK's "contact tracing" app (aka incompetently cobbled together spyware) I can't wait for what ridiculous total spyware solution they come up with when it comes up to demonstrating that one has either had the vaccination or has had covid-19 and therefore have antibodies to it (me). Doubtless some central tracking system which will have special exclusions for "celebrities" and "politicians".
Non-static bindings may be a PITA to manage at first sight, but with a standard template library to manage them they work fine. And what's more, rather than an application just arbitrarily failing to load with no error messages or suggestions whatsoever as to what the problem is, it's possible to log and to present the user with a useful and meaningful error message as to why the application is failing to even load.
Alternatively embrace "modern" development, do no error handling whatsoever, leave expected errors to generic exception handlers and provide no logging or error messages at all when something goes wrong. Because it will.
Pretty much inevitable really.
Many years ago, and before digital photography was even remotely widespread a friend at the time showed the (digital) video of when he and some friends gave their home made rocket powered it's maiden flight. It was large and had to be launched from a height of about six feet therefore was hand launched by a few people carrying it at shoulder height in the quasi-suicidal way that these guys operated. The plane launched successfully, dropped down to near ground height skimming the grass while very slowly gaining height. It was launched on a ranch, with the only things in sight other than grass being some very distant trees and a single, inexplicable, fence post several hundred metres away. Inevitably the plane hit this fence post dead on, not even a glancing blow.
I've tried searching for this video online, but just can't find it, which is a surprise seeing as these guys were pioneers in all things digital :(
You forgot gloves...
They have value as long as the gloves are very regularly very carefully removed and carefully replaced with clean gloves. Failing to remove gloves very carefully is an issue with trained NHS staff, let alone the general public.
Not replacing gloves does nothing other than keep a virus off your own hands, it certainly doesn't help to prevent the spread of a virus, and some studies have indicated that wearing gloves spreads a virus faster.
Go to the printers as the C-level will print whatever document they have to the first printer in the list. If it doesn't turn up on the expected printer they'll typically print it again. After a few times they may try printing it to a different printer if they are particularly adventurous, but usually it will involve shouting for their PA to fix the printer (which has been working just fine and by now has printed out a dozen copies of a confidential report to a printer in a different room/office).
Luckily for me I only wound up having to deal with a single email storm and it wasn't a reply-all one. It was a stupidly configured server with an "out of office" auto-responder which responded every single time an email was received rather than just once to each sender. The sender, in NZ as it happens therefore a good 8-12 hour delay before I could contact their IT team, had sent an email to an invalid email address on our domain. Our server correctly responded at the SMTP conversation level that the email address was invalid at which point their server created a response for their user which generated a fresh "out of office" message to the invalid email address, which our server responded to and so on...
In the end I temporarily blackholed their domain and waited for the thousands of pending email messages and their responses to go through the queues.
I've very occasionally done something like that in the past, but not for a long time as I learned to at least read the messages...
The worst techie example was a previous IT assistant that I had, who wasn't exactly the most talented despite his opinion of himself, who had a problem with his system and by the time he thought to raise it with me he had rebooted two core servers, restarted a firewall, restarted various services, restarted his own PC at least twice too and still couldn't resolve the problem. I had him demonstrate the problem to me and quick as a flash he closed the error dialog and continued with the process that he was having a problem with. I had him go back and start again and asked him this time to not close the error dialog and to instead read it. Frustratingly enough his muscle memory closed the error dialog a second time, but I managed to read a little of it and I knew that it would be reporting the problem. The next time he stopped and I had him read the error message: a user access level error that took us moments to fix. He'd been working on this problem for a day and a half.
I'm struggling with the use case as to why someone would want to fire up a very light weight VM (which is what containers are meant to be) and have an instance of MS-SQL server running in it. MS-SQL is anything but light weight. I can understand lots of containers with MS-SQL clients running in them, but to fire up MS-SQL servers on demand? It feels like either a bit of an edge case or a rather "interesting" design choice.
It's a nightmare isn't it? It took quite a lot of consultations with Microsoft's licensing monkeys to confirm and validate a solution.
In the end we have a license of Windows server datacentre edition with licenses for the number of cores on the VM host servers. This gives us an unlimited number of guest instances of windows server DC edition.
It's also very encumbered by patents. While this sort of works, this only remains the case as long as there are enough different patent holders that they are forced to cross-license them across all competitors - mergers of large organisations really don't help with this. When there are too few different patent holders the barrier to the entry to the market to any other organisation is so high that it's restricted to a few who then with less competition no longer have to worry about quality and innovation and can instead milk the market for all they can.
The solution is, of course, open standards. Unfortunately when it comes to theoretical and practical power and radio research this can rapidly become very expensive and that's before the different spectrum licensing regimes around the world come into play. As a result it's an expensive market to be in and the investment in research needs to be paid for somehow...
I'm fairly sure that arbitrarily deciding that individual suppliers are "bad" is not going to help though.
FTFY: Security vulnerability in a web tool written in any scripting language; must be a day ending with "y".
Seriously... clueless developers abound and it's staggering the awful quality of code that gets vomitted out often using "modern", "progressive" and other bullshit excuses as to why errors don't need to be handled, to excuse the barely mappable mesh of external dependencies pulled in at uncontrolled times and why making a complicated mess is somehow a good idea.
As for repeating the same mistakes that have had solutions and well established best practices for well over 30 years? Never trust user input and only construct queries using proper parameters.
I first bought a brother laser printer about 15 years ago. It lasted about 12 years, drivers were simple, included in windows (even 10) and I only replaced it when so many parts were worn out that it was cheaper to buy a new printer than to repair all the drums and rollers and cogs and so on. I replaced it with a new Brother laser printer, of course. I also bought genuine toner from Brother because there was no point in buying cheaper copies as the price wasn't that different and frankly, I'd rather "reward" Brother with continued purchases than have them go down the horror of the HP route.
Sorry, but I don't think you understand the scale of the combinations of hardware out there.
Let's take a typical laptop from a typical laptop manufacturer as this keeps the amount of user changes down to a minimum.
Just a single model of a laptop with a bland and seemingly consistent branding and model number will typically have a good number of hardware and firmware (BIOS) revisions from first launch to 9-12 months later when it's replaced by an almost identical model using cheaper, newer components but for a slightly higher price. To keep things simple let's assume only 5 revisions of the hardware between release and retirement, these changes are usually small, but will often require slightly different drivers or if not, they are still different somehow - otherwise they'd be the same. To keep things simple each of these 5 revisions is just a single change in some hardware, doesn't really matter what.
That's 5 revisions just for this single manufacturer's laptop model that lasts 6-9 months before it's replaced. However this is very far from the end of the these changes, because this model can be fitted with an option integral webcam and an option TPM chip. So we're now up to 20 different versions of the same laptop. But wait, there's a different US version due to some local WiFi nonsense therefore there's a US version and "rest of world" or "international" version. OK, we're now up to 40 different versions of the same laptop. It gets better though, because this is an international company and therefore the keyboard is available in American, English, German, French, Spanish, Portugese and so on.... let's just assume only 10 different keyboards are available. That means that we are now up to 400 versions of the same laptop/
* Assuming no numerical model interactions between the US only WiFi and American keyboards, it could be that the US WiFi model is only available with an American keyboard for instance - if this simplification offends you, just add some more keyboard layouts to the example...
It's a simplified example but it doesn't include the almost unlimited extra things that could be plugged into the laptop such as external monitors, docking stations, mice, keyboards, dongles, USB storage devices and so on. Many of which will have their own versions of hardware and drivers and integrate closely with the host system through DMA. This is before the different BIOS versions come into play and the different operating system versions and languages and installation options and whatever the user failed to click "no" to at the appropriate time.
It wasn't that long ago that certain models of Renault cars had a join in the wiring loom under the carpet in the passenger footwell. All "fine" unless it was repeatedly trodden on by a heavy passenger, crushed by a heavy object or when the car leaked and it got wet (in which case the standard "fix" was to just drill a hole in the floor of the car)
BoJo is 100% about BoJo - every message from him starts with "I", or comtains "me"... never "we". He has zero capacity to give a shit about anyone else other.
Humurous buffoon and all that aside... this is the charmer that had his PA buy his wife her birthday, anniversary and christmas presents. Every year.
I strongly suspect that anybody who dares to contradict his Trumpness in any kind of meeting is quickly and summarily fired. This leaves a room full of dire sycophants who are either entirely out for themselves regardless of what it does to the country or anyone else, or just try to suspend their disbelief and to try to survive the idiocracy by never disagreeing or being very careful not to appear to disagree.
Trump didn't get to be such a complete and utter narcissist by letting anybody question him.
The data already there... is already there.
Which is fine as long as absolutely no processing is performed on the data or the data does not include any data covered by the GDPR. It doesn't matter how or when the data gets there, it's the processing that matters (and data transfer is a process).
I can help you imagine how it looks...
I've found that applying an override stylesheet is the only bloody way of being able to read the "modern" Microsoft web pages.
Please stop ranting.
However you are quite correct, once given power governments are usually very unkeen to let it go. In the UK some more sensible people forced the government to put a six month review period on the Coronavirus Act 2020 - as in it has to be specifically voted on again to continue for another six months.
There are massive shortages of equipment and there are no cures for the virus (and in most cases, there are no cures for viruses, just preventatives). Right now all we can do medically is to try to keep the patient alive until their own body can fight off the virus and this is why ventilators and all that are really important.
I've had the virus and got over it a couple of weeks ago with just minor post-viral pneumonia to show for it while my lungs are healing. The virus hit my lungs rather than my throat therefore I didn't have a cough, just bad chest pains and a somewhat reduced lung capacity.
Was it bad for me? No because I don't have any underlying breathing issues, or other serious health issues, and healthy lungs and the ability to fight off a virus are the key factors. Elderly people have a reduced ability to fight off new diseases and often have lung related issues as well therefore it's particularly bad for them.
For me, it was a bit worse than the usual seasonal flu which I tend to just ignore and get on with my life. However I was left short of breath, dizzy and confused as a result and even a just 15 minute telephone call resulted in a nap for an hour afterwards. For anyone with existing lung issues it would have been very unpleasant and very bad and likely to have required urgent medical intervention. If someone also had a reduced immune system and their body is slow to fight off the virus, it would spread much faster and be even more serious.
It's never been about me catching the virus, I expected to really, it's about me not passing it onto those that will suffer from it, mostly the elderly and those with existing lung conditions or weakened immune systems. There are also the occasional outliers who either has a genetic weakness to the virus, undiagnosed health issues or just crap unlucky and rather than start with a small infection get a large dose of it to start off with and thereby overloading their system before their bodies can fight it off... such as health care workers who are not given enough protective equipment.
Given the encoding it would (should) be possible to differentiate the various structures, as in filter out the multiplexed audio out to start off with. That leaves the video data. Most live encoding schemes don't use B frames, for obvious reasons, therefore we're usually left with just I and P frames. I frames are usually identifiable by their size and consistency whereas P frames being what they are can be pretty much any size and in numner and describe any of the various deltas between first the I frame and the next generated frame and then from one generated P frame to the next... from block data changes, colour adjustments, block position changes (movement) and so on - they are very efficient and well compressed therefore quite unlikely to be readily guessable compared to the I frame. Which given all the block filtering won't be too easy to pick out anyway.
I do agree though, the example image is a bit unrealistic and unhelpful and is rather unlikely to be possible. However given better processes and more processing power? Who knows. Definitely best to avoid known weak encryption schemes.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
