Posts by Nick Ryan

Re: Interesting research

And Tesla has already been shown to miss a large object in front of it under adverse seeing conditions.

This unfortunate accident was caused by two things:

Firstly the driver not understanding that the software wasn't really an autopilot and more of a driver assist. This is Tesla's marketing department's fault, since rectified, but from what I understand this particular driver should have been well aware of this as he was close to Tesla and a keen advocate.

Secondly US trucks do not typically have guards down the side presenting an open space that often cars can fit into too well - there are many many reported instances of human controlled cars falling foul of trucks as a result. There's a reason that such guards are mandatory in most of the rest of the world. As a result the car, quite correctly, saw an open space in the road because there was one - the fact that it wouldn't fit entirely in the vertical space is an issue, but cars are not expected to be driven at speed at exceedingly low bridges and for practical reasons the height of the scan (lidar/radar,etc) is limited, although hopefully enlarged now.

Of course not. However even without 2FA, all they'd need is a half decent security approach, however given the government's approach to anything recently, IT related or not, it's no wonder that the parliamentary IT system follows the same principle.

2FA is a good idea, let down by reality and usually compromised by the implementation and hamstringing convenience. Sending access codes to a device that the user is likely to have in hand doesn't really increase security much, likewise codes sent to other devices or accounts - the end result is often a syste, that's so inconvenient that users try to avoid using it. Poor mobile support for 2FA, e.g. so users can use modern technology and standard(ish) applications to access their email or documents doesn't help either - seriously, a secure email application doesn't have to be an unusable PoS compared to the ones supplied for free by Apple, Google or Microsoft.

Remote email clients can easily be protected with client certificates - this doesn't help much when losing the device, or access to the device, but it does help prevent non-authorised connections which is what this is all about.

This is before smart stuff can be done on the server side, for example rate limiting incorrect logins - the technique has been around for years through simply steadily increasing the delay between allowed login attempts. This can be enhanced through reducing or bypassing the delay for expected originating IP addresses as this can reduce the DoS prospect.

Nothing hard, and as another poster has noted - why do they not run dictionary attacks against their own accounts? It's a simple process and greatly reduces the use of poor passwords.

Re: No internet, huh?

One would hope that the 3G/4G modem inside was connected to a private internet, not the public Internet. Most mobile providers are, or should be, capable of providing such network connectivity. As a result, malware shouldn't be able to connect to anything that it may require, particularly as most malware instances are delivery platforms for the real payload.

Re: Mouse not working on mousemat

I came across one similar when I came across the first introduction of optical mice as an upgrade to the ball and wheel mouse predecessors. Turns out that the optical mice didn't like the glossy surfaces of the standard issue branded mouse mats which worked fine with ball mice. It was considered ironic that the workers that had the best working mice were either those with the dirtiest environments, as in their previous mice failed all the time due to the dirt or those that didn't toe the company line and had alternative mouse mats.

Re: The good news is that she didn't mention Trump is visiting...

Should we wait for the impeachment momentum to build before setting a date, or should we wait a bit? Hmmm....

So Windows is putting up an ad *telling* users to buy a new version of Kaspersky, and Kaspersky are still unhappy. Sheesh!

My thoughts as well - while I'll more than happily bash Microsoft, this "your 3rd party AV software is out of date, we suggest that you update it (and here's a link as to how to)" functionality is generally a good idea. It wouldn't take much to push it towards promoting Microsoft's own services at the exlusion of others but as it is, it's most likely a good thing. Likewise, Microsoft's helping out by covering any gaps in AV support automatically is generally a good idea, particularly when you consider that, unlike the pagmatic techie bunch that lurk here, the majority of computer users really don't care, and in many ways shouldn't have to, and just want their PC to continue acting as a word processor, web browser, video player and game platform. As long as the transition is clear and above board, this is also likely to be a good thing.

Unfortunately most of us here have been on the receiving end of, or observed, Microsoft's considerably less than noble actions in the past... Abuse of trust is not an easy thing to forget or forgive.

Re: Paradox. Everyone hates ads. Everyone wants stuff for "free".

Unfortunately until the website owners finally understand that putting several screens worth of utterly useless, devaluing trash adverts all over their pages we're going to be stuck with his rubbish for some time. There are countless websites that I can no longer be bothered to visit because the experience is so painful.

And I suspect that in traditional moronic marketing accounting practices, the owners of these websites are seeing less income from adverts and therefore increasing the number of adverts to compensate.

Re: Mission critical stuff should legally never be done?

"I think that any mission critical software that carries a real risk to human safety should never legally be allowed to be done as long as the original vendor continues to trade."

A fine concept, except within a decade or so all software will be provided by the likes of Capita, IBM, HP(E) and so on... is that what you really want to happen?

Re: Universal Plug 'n' Pwn

Makes it that much harder for ET to phone home if only Edge and IE are permitted to initiate traffic to port 80.

Until you get to the most incredibly non-sensible security disaster by design that's svchost.exe. Good luck filtering by application when stupidity such this is provided as a core part of an operating system.

Yes - be very careful when using OneDrive for business because it does (ab)use SharePoint for file storage, presenting an interface that appears to be similar to a file system but in reality hides a whole lot of painful gotchas and a world of stupid. It's OK for document storage and versioning, for example standard Office documents, but the whole thing starts to go wrong with anymore more complicated, such as streaming, VCS systems, large files of any denonimation and so on...

Re: What about privately agreed crypto between private parties?

He's still here: https://forums.theregister.co.uk/user/31681/

A bit of a strawman comparison if such is possible. While the Apple devices are often, but not always, poor when comparing the hardware specification and price with alternatives, comparing one to something that is not comparable is a bit pointless.

Re: IT angle?

IT angle? It's about, erm, vultures. Look at the El Reg logo. That's close enough evidence for me on a Friday night.

Re: MS back in the game

er

that's about it.

you forgot the MS "ergonomic" keyboard.

Microsoft are a software services company - you pays them money, they let you borrow the use of their software for an agreed period of time. Updates are provided if you agree to pay them more money.

Re: Wow

That's the state pension scheme problem - there isn't one in any financial terms as it's as described - a "hope we can pay for it later" investment scheme. On the other hand, company pension schemes where companies are able to raid these assets and use the funds for their own purposes, often short term bailouts to ensure that dividends and bonuses are paid, not to invest them responsibly are a growing problem. The protections on these non-state pension schemes have been gradually eroded by politicians who have more a passing interest in the organisations who wanted to "unlock the value" (i.e. take the money from) the pension schemes.

Re: Water, water everywhere...

I'm not a planetary scientist

This is what it should have read :) (and it wasn't even pub o'clock)

Re: Android really is a clusterf**k isn't it?

Other app stores, and other Operating Systems have almost identical problems. Given enough obfuscation and a plan it should be relatively easy to hide malware in titles until you want them to trigger. If the malware is hidden/obfuscated well enough then it will get past automated scanners looking for it. The scanners can be updated but this is the same old problem with virus scanners - they are retrospective.

Re: Applications are vulnerable?

"When I was testing 10, it also ran fine with Edge, Cortana, Windows Store, and all other unwanted junk forcefully removed"

care to share where you found the instruction for this?

Looks like this info is missing...

powershell is your friend here.

Get-AppxPackage will list packages for you

Remove-AppxPackage will remove the packages that you don't want

I'm not sure about removing Edge or Cortana using this however the windows store and much of the utter shite* that is force fed onto Windows 10 systems can be removed. Just beware that because of the shit way the windows store/update process works removing an "AppX" (metro/store) package from a system does not purge the update queue of the bloody thing therefore it will get reinstalled. Wait for all updates to be applied (there is no notice of this, of course, it's entirely invisible) and then run the removal scripts and the things will be gone.

* Some of it it might be good, but force it on me and I'll delete it with prejudice. Also jaded experience indicates that it won't be good...

When I worked for them it became apparent that the multiplicity of disparate systems all of which had to communicate to keep the airline running were an accident waiting to happen.

<= THIS

Organisations need to periodically refactor and simplify their systems, particularly after what can sometimes be decades of accumulation and evolution. Yes, there is a risk in doing this, however there is probably more of a risk in not doing this because of unknown, undocumented systems being somehow critical to operations. Like insurance, it's a gamble and in this case BA lost - now it's just a case of them working out how much money they lost as a result.

Some organisations refactor and simplify on a continual basis which, if done well, should remove the need for more drastic measures later. However this requires more ongoing investment and planning but the upside is better systems overall and, most likely, cheaper in the long run,

Re: Only off by a factor of 1000

The calorie thing by way of food intake is laughably inaccurate anyway. This doesn't mean that it doesn't have value, because some measure is better than no measure, just that people shouldn't accept it as utterly accurate.

Consider this: how does a human body process food? The chewing, saliva and other enzymes are just the start of the variables, then there's the bacteria in the digestive system and their variety efficiency, which greatly varies depending on the bacterial make up, the pre-processing of the food (cooking, chewing, etc), the food itself and the internal conditions at the time (food bulk, temperative, acidity, etc). Basically, it's complicated. Very complicated. Also, some foods require considerably more energy to break down than others - this is generally the value of more natural foods compared to heavily refined foods which are usually very easy and quick to break down, as in the difference between long chain "sugars" and short chain (refined) "sugars".

How do we measure the calorific value of food? The original method was through measuring the temperature change in water through burning the food. The methodology these days is a bit more refined than this however the overall process is/was based on this. The calorific value of most modern foods are calculated using pre-set values and the manufacturer's estimated/average measure of the food components and extrapolating from there.

Re: Dark Matter - pah!

Have we got some kind of hellishly perverted dark matter fetishist around?

Probably, but scientists are human like the rest of us and if much of your professional life is based upon a proposition and somebody questions this the reaction may not be positive. There are quite a lot of notable scientists who have doggedly stuck with theories that were later disproved, it must have been very hard for them.

Re: Non issue

In the UK, for broadcast material (TV shows), the copyright period is 50 years from the year of first broadcast, therefore anything broadcast 1966 and earlier has expired. For films it's rather harder to calculate as it's based on the death of the directors, authors, etc plus 70 years, therefore it has to be judged on a per film basis. However it does mean that some true classics from the 1930s are generally available now.

In the US, however, the Disney Corporation paid to change the copyright law to protect one of their most boring, but for some reason iconic characters, Mickey Mouse. Doubtless they'll do the same again in another 15 or so years to extend the US copyright period for films further.

Re: Has a thing that doesn't exist gone too far?

At least this "AI" is using some of the fundamentals of real AI, as in neural networks and training - so more "machine learning" than procedural programming or AI. Most are nothing more than procedural iterations with configured choices with an AI badge slapped on for marketing purposes.

Re: El Reg Comments on Hacks

Did I mention that I'm really clever? I noticed that it was all the Tories' fault as they encouraged, nay forced, criminal software vendors to write code that can't run on patched systems.

Genius sir. I now no longer have to think about any posts. Ever. Let's lobby El Reg to build a real (and genuinely) AI system that can create post for us. Perhaps with a little help from the community it will produce output more intelligible than their previous attempt, AManFromMars.

Although perhaps one could add sub-categories to the scheme and group it according to political party, vendor, supplier, cloud blame and all that. I suspect that merging it with the BofH's excuse calendar would help as well. Currently the most obvious omission is the "I build my own processors by hand using tin and copper that I mine in my own garden therefore I know my processors inside and out" type of response...

Re: FIFA, I mean ICANN

In the age of negative press it's delightful to come across something thinking positively. So rare these days...

Re: Well one of the features of Windows used to be...

It would have been even better if the API featured all the bloody functions that one needed when it came to printing and rendering. Hell, if printing used the same units throughout it would have been an improvement what with having to pass much code through various twips to inches to cm to pixel translators before using them.

However even aside from this, where MS really dropped the ball is that they could have easily implemented an OS level printer preview that would have worked for applications using the Windows printing mechanisms, as distinct from using PostScript direct. Unfortunately printing has always been the poor cousin of PC software design and even now printing support both at the Operating System and application level is pathetic. When was the last time you didn't scream at your web browser's half-baked and largely useless print of a web page? Have you tried printing an image using the Windows 10 native image viewer (hint: it doesn't work, right click file and click Print to print usng the old image viewer's print handler which does work, most of the time).

Re: pragmatism

Answered with a question... Which is more expensive to the major telcos involved? Patching, red tape or the occasional fine?

These assistants – which use powerful AI (artificial intelligence) engines to deliver detailed, context-aware and personalized answers to users’ questions

Yep, stuff like the above is total marketing bullshit. Hello, El Reg [SLAP], are you listening?

They have reasonable voice recognition routines that may, just may, use some neural nets but most likely just refined algorithms. Neural nets are rather expensive to simulate in either software or hardware compared to traditional voice processing. These words then get passed through a few filters to try and figure out what the poor user actually wanted, then these words are passed onto a specific application that may, possibly, could do (but almost certainly doesn't) use AI or neural net processing in order to process the provided words and perform an action or give a response.

In other words, pretty nifty language processing being passed onto textual services depending on the interpreted words. What these services do may or may not be clever, but it ain't AI by any stretch of the imagination. It's most likely not even Machine Learning.

Re: What does this vulnerability actually enable?

Another question I'd be interested in: both CPQ/HP and Dell servers have had their own equivalents of the above functionality, for years, even before vPro/AMT (for CPQ it's the iLO or integrated Lights Out facility, can't remember what the Dell variant is called). Do these systems also have the newly publicised vulnerabilities?

No, they have their own vulnerabilities. A good pen scan will show these buggers running antiquated versions of shared libraries, are know to have hard coded passwords and many other horrors. On the other hand, they are very, very useful.

As pointed out previously in comments, in the UK engineering is not a licensed profession. Engineers here bang on about the fact that doctors and lawyers are licensed while engineering is not.

Not licensed? If you want to build many things in the UK, the design must be approved by someone who is a Certified Engineer in order to not fall foul of Building Standards

Different fields of engineering have rather different requirements and, necessary, restrictions and controls. Therefore if you want to work in the field of nuclear engineering in the UK you had better be up to date and a member of the Nuclear Institute, or a recognised international equivalent - it starts to get messy at this point. Likewise working with dams and resevoirs and many other construction projects. Having somebody who is demonstrably competent (to a level of testing as such as is possible - the hard bit is having a test that is as objective as possible) sign off on projects that could adversely affect, or just kill, members of the public is a good thing.

Re: Why not go further?

I suspect that too far would be the Oric-1 :) Although it would be an educational and possibly a hard task for a relaunch to accurately replicate the serious problems that these devices were launched with. In theory it was a superior device to the Spectrum however the implementation lead to it being considered the clown-car equivalent at the time.

Re: Demand pricing...

Airlines/online travel agents have done this for a long time. It's not the searches that ups the price, it's the cookies on your local computer. For a long time (haven't tried for a while) the only safe way to buy such things online was to search using one browser and then go back with a different browser (or clear all cookies) and then buy the damn ticket/holiday/flight at the original price. Operated by Utter Bar stewards.