nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

* Posts by Alan J. Wylie

442 posts • joined 12 Jul 2008

Page:

Customers baffled as Citrix forces password changes for document-slinging Sharefile outfit

Alan J. Wylie Silver badge

NCSC advice

The National Cyber Security Centre (part of GCHQ) doesn't think that forcing regular password expiry is a good thing.

'Blockchain SAVED my Quango'

Alan J. Wylie Silver badge

"Do you need a blockchain?"

Blockchain flowchart, taken from this NIST PDF

Bird, Lime, and Xiaomi face scooter sueball

Alan J. Wylie Silver badge

This two-year-old X.org give-me-root hole is so trivial to exploit, you can fit it in a single tweet

Alan J. Wylie Silver badge

Re: Thanks for making this public

The CVE was raised back in July

Raised doesn't mean made public.

I monitor CVEs for a living (it's tedious and boring: since early 2017 there has been a huge increase in ones of no relevance). The first I saw of it was this tweet, yesterday at 9:30 pm.

The NIST site says published on the 25th, too.

Alan J. Wylie Silver badge

Theo de Raadt of OpenBSD is not happy

Nobody at OpenBSD was made aware of the bug until very late on, despite an OpenBSD developer being on the X security team. The release of 6.4 could have been delayed until after the public annoucement.

Excuse me, but have you heard the teachings of our Lord and Savior, Jesus Chr-AI-st?

Alan J. Wylie Silver badge

Theological AI, what could possibly go wrong?

Answer, by Frederick Brown

He turned to face the machine. "Is there a God?"

The mighty voice answered without hesitation, without the clicking of a single relay.

"Yes, now there is a God."

Alan J. Wylie Silver badge

Can it re-phrase this into a form that doesn't cause schoolboys to fall asleep?

And spotteth twice they the camels before the third hour, and so, the Midianites went forth to Ram Gilead in Kadesh Bilgemath, by Shor Ethra Regalion, to the house of Gash-Bil-Bethuel-Bazda, he who brought the butter dish to Balshazar and the tent peg to the house of Rashomon, and there slew they the goats, yea, and placed they the bits in little pots. Here endeth the lesson.

Linguists, update your resumes because Baidu thinks it has cracked fast AI translation

Alan J. Wylie Silver badge

Time flies like an arrow. Fruit flies like a banana.

You like HTTPS. We like HTTPS. Except when a quirk of TLS can smash someone's web privacy

Alan J. Wylie Silver badge

Memories of Not the Nine O'Clock News.

Kinda lingers

Thought Patch Tuesday was a load? You gotta check out this Oracle mega-advisory, then

Alan J. Wylie Silver badge

libssh and libssh2

There are two similarly named projects:

libssh: the one with the vulnerability, and libssh2 which so far doesn't seem to be affected.

Red Hat / Centos, at least, use libssh2.

Note also that it only affects servers, not clients. sftp servers seem to be the most likely to be vulnerable and exposed.

Amazon's sexist AI recruiter, Nvidia gets busy, Waymo cars rack up 10 million road miles

Alan J. Wylie Silver badge

Re: Trash data in, Trash results out...

The term Garbage in, Garbage out was first coined in 1957.

UK.gov teams up with Five Eyes chums to emit spotters' guide for miscreants' hack tools

Alan J. Wylie Silver badge

content available as HTML

For those with an aversion to PDFs, the content on the US-CERT web site is very similar to the NCSC's download.

https://www.us-cert.gov/ncas/alerts/AA18-284A

Russian 'troll factory' firebombed – but still fit to fiddle with our minds

Alan J. Wylie Silver badge

Reichstag fire

Why does this remind me of the Reichstag fire and false flag operations?

Boffin: Dump hardware number generators for encryption and instead look within

Alan J. Wylie Silver badge

Sounds very familiar

LWN article: Random numbers from CPU execution time jitter (2015) and HAVEGE: a linux "random" number generator that relies on instructions taking an unpredictable number of clock cycles to execute.

Sysadmin misses out on paycheck after student test runs amok

Alan J. Wylie Silver badge

Ada?

Surely the payroll program was't written in a strongly typed, object oriented language commissioned by the military?

You'll never guess what you can do once you steal a laptop, reflash the BIOS, and reboot it

Alan J. Wylie Silver badge

smacking the laptop owner with a two-by-four?

Surely a $5 wrench?

US govt concedes that you can indeed f**k Nazis online: Domain-name swear ban lifted

Alan J. Wylie Silver badge

RevK's P.P.S on his use of a fuck.me.uk domain.

The Reg takes the US government's insider threat training course

Alan J. Wylie Silver badge

and 94 per cent went to prison

What's the opposite of survivorship bias?

Solid password practice on Capital One's site? Don't bank on it

Alan J. Wylie Silver badge

Nvidia promises to shift graphics grunt work to the cloud, for a price

Alan J. Wylie Silver badge

Re: latency down to a blazing 3ms

3ms round trip doesn't get you very far.

$ units -1 "3ms c" "km"

* 899.37737

Sextortion scum armed with leaked credentials are persistent pests

Alan J. Wylie Silver badge

US watchdog OKs robo-doc AI that spies eye disease all on its own

Alan J. Wylie Silver badge

Re: What about all the other diseases?

That makes as much sense as complaining that a blood test for ebola can't detect a sprained ankle.

I was referring only to diseases diagnosed by inspecting the retina. What's the point of an automated system when a specialist has to look at it anyway to diagnose other diseases?

As for the prosecution, sorry - I missed a sarcasm tag. As with the case of Dr Hadiza Bawa-Garba, the case should never have been brought in the first place.

Alan J. Wylie Silver badge

What about all the other diseases?

Macular degeneration, for one. And what happens if someone dies because of a missed diagnosis. Who do you prosecute then?

Don't let Google dox me on Lumen Database, nameless man begs

Alan J. Wylie Silver badge

BBC Technology + Creativity Blog

The BBC's Technology + Creativity Blog posts a list of BBC pages that have been removed from Google's search results, here's the lastest post. It can be a most interesting read.

Tax the tech giants and ISPs until the bits squeak – Corbyn

Alan J. Wylie Silver badge

ISPA's comments

https://www.ispa.org.uk/ispa-comments-on-a-levy-to-fund-a-digital-licence-fee/

increased prices ... divert resources ... slow down broadband rollout

Use Debian? Want Intel's latest CPU patch? Small print sparks big problem

Alan J. Wylie Silver badge

Section 3

You will not, and will not allow any third party to ... (v) publish or provide any Software benchmark or comparison test results.

I can see why Debian aren't happy, seeing as without new instructions made available by microcode updates, some of the mitigations incur a significant performance hit.

Self-driving cars will be safe, we're testing them in a massive AI Sim

Alan J. Wylie Silver badge

and crucially, road intersections

Who would have thought, 35 years ago, that all the work that a Ph.D. student from Oxford, my colleagues and I were doing programming a Laser-Scan Fastrak in Fortran on a VAX 11/780 to recognize the junctions on Ordnance Survey 1:1250 maps would lead to this?

Bank on it: It's either legal to port-scan someone without consent or it's not, fumes researcher

Alan J. Wylie Silver badge

One law for them, another for us

Do not forget the case of poor Daniel James Cuthbert, found guilty of an offence under the Computer Misuse Act back in 2005 for adding ../.. to the URL of a charity's web site.

El Reg article

There is a very thin line between "intending to secure access" and checking to see if insecurities may be present.

Top tip? Sprinkle bugs into your code to throw off robo-vuln scanners

Alan J. Wylie Silver badge

Chaff?

The original name for chaff was "window". A fitting name for software with a generous sprinkling of bugs.

Oi, clickbait cop bot, jam this in your neural net: Hot new AI threatens to DESTROY web journos

Alan J. Wylie Silver badge

Re: Easy source.

Just do a search for "and you wont believe"

Also, "This one (weird|simple) trick".

BTW, does an extended regex count as AI?

ZX Spectrum reboot latest: Some Vega+s arrive, Sky pulls plug, Clive drops ball

Alan J. Wylie Silver badge

Re: What we need

Interested in your thoughts regarding Betamax v VHS

Video 2000

I contracted for a while at Pye TVT in Cambridge (working on a TV video effects console for the 1986 World Cup). Pye was a subsidiary of Philips, and there was a factory shop. Lots of employees, contractors and their friends and families ended up with Video 2000 recorders. Rumour had it that e.g. Dixons allocated the cassettes equally to all shops, and the manager of the Cambridge branch spent a lot of time on the phone talking to other branches to get their spare stock sent to him.

Getting back on topic, I also worked on the Acorn Archimedes and the Sinclair QL.

Uptight robots that suddenly beg to stay alive are less likely to be switched off by humans

Alan J. Wylie Silver badge

Re: Dave

Daisy, Daisy, ...

Microsoft devises new way of making you feel old: Windows NT is 25

Alan J. Wylie Silver badge

DEC's Dave Cutler worked on VMS. Is it just co-incidence that WNT is to VMS as HAL is to IBM?

Engineers, coders – it's down to you to prevent AI being weaponised

Alan J. Wylie Silver badge

Re: Dual use is hard.

better engineering meant better guns

Sir Joseph Whitworth's rifle

Alan J. Wylie Silver badge

Dual use is hard.

Many years ago, I worked on computer aided mapping: semi-automated line following. Measuring the boundaries of all the woodland in the UK to calculate the total area, better 1:1250 maps with accurate buried utilities to stopping backhoes cutting fibre optic cables, what could possibly be wrong with that? Then came the Falklands war. Digitise the contours and produce a wire-frame perspective of Mount Tumbledown as viewed from Port Stanley, please.

A few years later, I worked on CNC blade tip grinders to make jet engines more fuel efficient. Making 747s greener is great. But what if the US Navy want some for their fighters? Or the Army for an AGT1500 turbine in an M1 Abrams tank?

♫ The Core i9 clock cycles go up. Who cares where they come down?

Alan J. Wylie Silver badge

The song the headline referers to.

Tom Lehrer - Wernher von Braun

Ah, British summer. The sun is shining, the birds are singing, the internet is on the fritz

Alan J. Wylie Silver badge

Fibre break(s) near Manchester, too

Zen: Fibre Cable break impacting Bury Exchange

Exa: At approximately 10:22am one of our core fibre links from London Telehouse to Manchester experienced total failure.

Bury is north of central Manchester, so these may be separate incidents.

Tech support chap given no training or briefing before jobs, which is why he was arrested

Alan J. Wylie Silver badge

My similar experience with core store in a defence establishment. At least I didn't get arrested!

Another data-leaking Spectre CPU flaw among Intel's dirty dozen of security bug alerts today

Alan J. Wylie Silver badge

Re: CVE-2018-3693 "BCBS" Bounds Check Bypass Store"

Yes - the ARM one is the same as the Intel one.

Intel Open Source Security Incident Response Team: Speculative Execution Branch Prediction Side Channel and Branch Prediction Analysis Method

CVE: CVE-2017-5753, CVE-2018-3693

https://nvd.nist.gov/vuln/detail/CVE-2018-3693

Alan J. Wylie Silver badge

CVE-2018-3693 "BCBS" Bounds Check Bypass Store"

Note that -3639 is a very similar "speculative store bypass" from May: don't get confused as I did for a short time. Could -3693 be the same as the Intel one?

Mark Rutland of ARM on the Linux Kernel Mailing List

arm64: spectre-v1 write fixes (CVE-2018-3693)

These patches inhibit spectre-v1-write gadgets found in arch/arm64, using the same mitigation applied to existing spectre-v1-read gadgets.

This issue is also known as CVE-2018-3693, or "bounds check bypass store". More details can be found in the Arm Cache Speculation Side-channels whitepaper, available from the Arm security updates site [1].

[1]

Leatherbound analogue password manager: For the hipster who doesn't mind losing everything

Alan J. Wylie Silver badge

As recommended by Bruce Schneier

Write Down Your Password

Well - it was a long time ago.

And in current affairs: Rogue raccoon blacks out city power grid after shocking misstep

Alan J. Wylie Silver badge

The other Large Hadron Collider incident

Large Hadron Collider scuttled by birdy baguette-bomber

Things that make you go hmmm: Do crypto key servers violate GDPR?

Alan J. Wylie Silver badge

Almost 20 years of employment history.

A quick search on a keyserver for my name shows many of the companies I have worked for over the last 20 years.

Alan J. Wylie Silver badge

Firstly PGP public keys are on the server and placed there by the key owners.

They can be uploaded by anyone who possesses them. Co-workers, anyone with whom you have shared the public key.

Git365. Git for Teams. Quatermass and the Git Pit. GitHub simply won't do now Microsoft has it

Alan J. Wylie Silver badge

Happy birthday, you lumbering MS-DOS-based mess: Windows 98 turns 20 today

Alan J. Wylie Silver badge

Active Desktop, which allowed HTML content (such as news headlines) to be shown on the user's desktop at the cost of prodigious amounts of CPU and RAM.

And bandwidth. I can remember one cow-orker enabling it, which rapidly became apparent when we looked at the ISDN logs and discovered that his desktop, left on overnight, had been connecting every few minutes, bringing the line up over and over again, incurring a call charge every time.

UK footie fans furious as Sky Broadband goes TITSUP: Total inability to stream unfair penalties

Alan J. Wylie Silver badge

Seems to have affected Zen Internet too

Routing & Core Network Loss of Resilience

They seem to have had redundancy and no outage.

One update of interest:

Engineers are continuing to work on the fibre break.

The work is currently being delayed by numerous road works.

It's time for TLS 1.0 and 1.1 to die (die, die)

Alan J. Wylie Silver badge

Not only do they only support TLS1.0, but including RC4-SHA in their cipher list? Really?

Supported Server Cipher(s):

Preferred TLSv1.0 128 bits AES128-SHA

Accepted TLSv1.0 256 bits AES256-SHA

Accepted TLSv1.0 128 bits RC4-SHA

Accepted TLSv1.0 112 bits DES-CBC3-SHA

Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256

Accepted TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256

Accepted TLSv1.0 128 bits RC4-MD5

Page:

The Register - Independent news and views for the tech community. Part of Situation Publishing