nav search
Data Center Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

* Posts by Charles 9

12981 posts • joined 10 Jun 2009

Pass gets a fail: Simple Password Store suffers GnuPG spoofing bug

Charles 9
Silver badge

I don't think you CAN rewrite it to cover all situations. Strict processes can be bombed with bad input, while loose ones can be exploited a la Confused Deputy. Neither one is desirable depending on the circumstances (which may not be the same even within the same process--and you may not even know which applies).

0
0
Charles 9
Silver badge

Re: Always check your inputs

Don't trust anything. Always assume the previous process is lying to you and the next process can't understand you.

1
0

Meet the Frenchman masterminding a Google-free Android

Charles 9
Silver badge

Re: Hmm

OK, wanna play Overwatch with the big boys? Last I checked, Battle.net still bans WINE users, Overwatch separates by platform, and the big leagues are PC-ONLY, so what options does that leave you, especially if you're a professional gamer.

0
1
Charles 9
Silver badge

Re: a real nerds answer

"2. If you think "turn off Magisk, reboot, do your stuff, turn Magisk on, reboot" constitutes too many steps for the average person to contend with then perhaps the problem doesn't lie with the 'million' steps but with your innumeracy and the fact that a mobile phone is too complex a device for you to master - El Reg probably isn't the right site for you (it's bit too technical)."

Don't think in terms of the Power User. Think in terms of Joe Stupid who wants a turnkey JFDI solution and have enough influence they can dictate the phone market on their own, leaving the rest of us in the dust (and in their wake to catch the flak when problems do float up). Let's face it. If you want a phone system that will last beyond a couple years, you need one Joe Stupid will adopt. We Power Users lack the market pull to make them care.

0
1
Charles 9
Silver badge

Re: Hmm

I mean, if a big, seriously-Windows-paranoid company like Valve can't get people (users and developers) to seriously jump away from Windows, what chance does a small ragtag team have of talking Joe Stupid into stepping away from Android and all it provides?

2
2
Charles 9
Silver badge

Re: No value in privacy

Even then, the theft will probably turn out to be either an inside job or revenge plot: both of which were possible before the Internet.

0
0
Charles 9
Silver badge

Re: They obviously don't give your details to anyone else

And as a fictional journalist once saud, "Paranoids are just people with all the facts."

5
0
Charles 9
Silver badge

Re: App Store

Not to mention there's no way to establish a trusted repo outside of Google's without rooting, meaning all the outside stores have to jump extra hoops.

0
1
Charles 9
Silver badge

Re: Banks

Not only that, having the root ability in and of itself is a security risk, kinda like drilling a hole in a bucket. No matter how much you plug it, someone can come along and rip the plug off (like a malware noticing the root and exploiting it to to below the OS layer to install stuff the OS can't detect or remove like a rogue driver). Plus there's a legal and financial incentive. Banks simply can't trust an environment that's not considered pristine: they risk liability if they do. At least if Google vouches for the OS and something happens, the lawyers can pass the buck saying it's Google's fault instead.

2
1
Charles 9
Silver badge

Re: Google might drop Android anyway.

Phone drivers are never going to be an openly-accessible matter, Linux or no, because those interfaces are Trade Secret Sauce to the chip manufacturers, the market is that cutthroat. That's why they've always been served as blobs.

3
1
Charles 9
Silver badge

Re: At its foundation, it will be forked from LineageOS

dm-verity requires submitting to Google to get an official key. That's why LineageOS is never signed, now will this without something significant.

6
1
Charles 9
Silver badge

When it comes to OpenStreetMap, YMMV. It's essentially a Wikimap. Depending on user input, results can be hit or miss.

5
2

Pwned with '4 lines of code': Researchers warn SCADA systems are still hopelessly insecure

Charles 9
Silver badge

Re: Do not put these systems online then?

No Internet connection is even needed to taint the USB stick if you have an insider, which for something like a state-sponsored infiltration can never be ruled out. Neither can SneakerNet.

PS. If they fire you, THEN they can overrule you. Safety and security take second place to just bloody getting the job done. If you can't get the job done, you no longer have a reason for existing, end of. And NO ONE's going to tell a JFDI client, "You can't get there from here"; it'd be business suicide.

0
0
Charles 9
Silver badge

Re: Do not put these systems online then?

But tell that to the top brass who can overrule you AND are seeking to reduce head counts (and associated labor costs, pleasing the investors) with remote management.

1
1

Stern Vint Cerf blasts techies for lackluster worldwide IPv6 adoption

Charles 9
Silver badge

Re: There Might Be An Alternative

Hmm, it pretty much reads like I thought it read originally. The essential idea is to use the IPv4 equivalent of a PBX router at IP endpoints. These endpoints will then be used to interpret specially-formatted IPv4 packets (they have RFC1918 addresses and a specially-encoded Option Word that IS part of the IPv4 spec) to act as extensions. Still have to wonder how these extension packets would get routed correctly, especially since most outside routers are supposed to drop packets with RFC1918 addresses. It's similar to a concept I'd thought about to introduce an extended routing packet to an IP endpoint to tell it to continue routing something internally, but I realized that implementation would not be as easy as it sounds, particularly if a single IP endpoint is simultaneously handling multiple connections.

0
0
Charles 9
Silver badge

Re: There Might Be An Alternative

For the record, he seems to be referring to this spec submitted to the IETF. From what I can make out, it essentially leverages the RFC1918-defined private spaces to extend the publicly-accessible space, though the document is a little hard for me to grok completely. Perhaps one can provide a slightly-less-technical version of what it's trying to do.

0
0
Charles 9
Silver badge

Re: But ...

"So long as you like spending money on life support, relying on third-party relay servers for everything and enjoy NAT, CGNAT and RFC1918 clashes and networks that are hard to reason about and require workarounds everywhere to deal with address space shortage, then sure, no incentive."

If YOU'RE the one in control of the relay servers (like Microsoft and Skype), then you WANT the status quo. It gives you an in to valuable demographics (one reason for the AT&T/Time Warner merger). And as long as the NATs and so don't negatively and directly affect you (which they don't if you control the relay server; the user connects to you through the NAT), then it's SEP.

1
0
Charles 9
Silver badge

Re: But ...

"It is slowly breaking, however."

Unless it's BROKEN, as in completely, totally, unable to access ANYTHING, there's no incentive to jump and EVERY incentive to keep going as it's right now like a game of Flinch. Blink, you lose and get gobbled up.

1
0

Keep your hands on the f*cking wheel! New Tesla update like being taught to drive by your dad

Charles 9
Silver badge

Re: Auto-crash-pilot

Drivers are too aggressive these days to adhere to the Three Second Rule. Even less than ONE second provides a gap of at least a car length, and the instant you leave a gap big enough to fit (by Murphy's Law), someone's WILL slip into it, removing your gap. And trying to put the Three Second Rule on the new car just invites another interloper, ad nauseum.

0
0
Charles 9
Silver badge

Re: Does tesla collect system records or incident information?

But that's a Catch-22. The ONLY way to test it on a real road is to put it on a real road, just like with humans. There is no substitute. Ain't nothin' like the real thing, baby.

3
0

How to stealthily poison neural network chips in the supply chain

Charles 9
Silver badge

Re: "...it survives typical software scans..."

I thought the ultimate sanction was nuking from orbit and starting from scratch. Replace the hardware and you'll probably replace it with a similarly-knackered chip.

1
0

UN's freedom of expression top dog slams European copyright plans

Charles 9
Silver badge

"However, copyright is an abomination. It doesn't work for the creator it just serves lawyers and corporations who squeeze every penny they can out of other peoples work."

If copyright is an abomination, what would you call what we had before it (aka everything was privately commissioned and usually kept out of the public eye)?

0
0
Charles 9
Silver badge

Re: Who benefits from the law?

Except the big guys are also more likely to fight back...fight back AND WIN, which leaves you asking which to take: a sure 10% of something or the risk of 100% of nothing?

1
1
Charles 9
Silver badge

So you need something with the speed of a computer and the subjectivity of a human otherwise the load gets overwhelming and people lose. Either true works get copycat teddy to death or get wrongly tagged a copies, with no way to distinguish between them.

2
1

Shatner's solar-powered Bitcoin gambit wouldn't power a deflector shield

Charles 9
Silver badge

Re: World leading Geothermal nation ... Iceland ?

Doesn't sound like much, really. I mean, when it got really hot in New York a few years back, they ended up needing over 13GW...by itself. And then you have places like Hawaii that are completely isolated from the rest of the world, have high energy needs (they're in the tropics, a double-whammy of heat and humidity) and little room to put a generator. Oh, and a constant risk of typhoons which makes building anything that can last there tricky.

0
1
Charles 9
Silver badge

The catch is that there are few locations where you can harness enough geothermal energy to generate electricity. Iceland is lucky they pretty much sit on top of a volcano.

0
1
Charles 9
Silver badge

"Something is wrong with this. A small grid scale power plant is about 100 MW."

Using traditional means like hydrocarbons. To produce comparable power, continuously, from renewables requires significant land allocation. For example, the Desert Sunlight solar-thermal plant in California (550MWAC) spans 3,800 acres (>15km^2).

1
1
Charles 9
Silver badge

Re: Too late...

"'wiped out gains' - what the HELL does _THAT_ mean???"

It means the growth in demand for power is STILL outpacing the increase in the supply of power. To use graphing terms, Q is moving faster than P. And as you should know, if the growth in demand outstrips the ability to grow the supply of it, we're going to have shortages. IOW, despite growth in the grid, there is STILL a growing risk of a shortage, and since electricity is a staple to most people AND most people's wallets aren't getting much fatter, this can raise quality of life issues...unless you're of the soulless sort who feel there are too many people and the human race should stand a cull.

13
0

Boffins offer to make speculative execution great again with Spectre-Meltdown CPU fix

Charles 9
Silver badge

Re: Speculative versus parallel execution

Catch is, there are some workloads for which parallelization will never be a solution. For example, there's a reason high-quality video encoding still takes place on the CPU (if not ASICs): the workload can't be run parallel very well, primarily due to its highly chained and interdependent nature. In essence, the whole process runs in a specific sequence where it's hard to jump ahead because a comparison can easily send the process down a completely different track, with no reliable way to predict which way it'll go. Similarly, many types of emulation can be both very timing-sensitive and very interdependent, meaning things have to run in lockstep to avoid side effects.

1
1
Charles 9
Silver badge

Re: I have a simple plan...

"2. Treble the clock speeds."

Intel called. They want their P4 NetBurst CPUs back. If you'll look back, you soon realize you can't just run everything faster. It just doesn't scale. Why do you think CPUs weren't and even today aren't specced much higher than 4GHz in clock speeds? One word: HEAT! The problems Intel had with NetBurst were the reason they had to take a step back to the P3, work smarter instead, and the end result is their current CPU line, the Core series.

"3. Make much faster memory."

There isn't much you can do about faster memory anymore without side effects. The biggest obstacles at this point are the speed of electricity combined with cycle lengths. In one nanosecond, electricity can travel, at most, about a foot. And yet you need at least some spacing due to all the heat both the CPU and the RAM inevitably kick up.

7
1
Charles 9
Silver badge

Re: I'd like to add that...

Where are you gonna go, then? Most of the other architectures suffer from variants of this, too, including ARM. The few that don't are basically too simple for practical applications these days.

1
1

Internet luminaries urge EU to kill off automated copyright filter proposal

Charles 9
Silver badge

Re: You just need a fingerprint algorithm

Cinavia is actually audible (barely). They do this intentionally so it's harder (but still not impossible) to mangle without adversely affecting the actual audio track.

0
1
Charles 9
Silver badge

Re: The internet luminaries could simply submit an RFC for a signature/validation protocol

What's to stop a mangler from just altering the content enough to throw off the signature? Steganographic mangling is nothing new. Not even stuff like Cinavia (which encodes in the audible range to avoid being mangled) is immune.

3
0
Charles 9
Silver badge

Until the miscreants start taking to stealing accounts and posting their dodgy stuff using those. That way, the plods start knocking on innocent doors while they get away scot-free, probably further protected by hostile sovereignty.

11
0

Scammers use Google Maps to skirt link-shortener crackdown

Charles 9
Silver badge

Re: Short URLs? Who needs em?

And I take it you had to hand-chisel every single address every time you had to change sites. To say nothing of virtual keyboards that kept misreading your touches and tiny little micro-keyboards too small for fat fingers...

0
0
Charles 9
Silver badge

Re: I use a different system

That's a thought at least. It could even be automated somewhat so that each public-facing page has some kind of random key to it which can then be internally spidered and symlinked in some "key" directory off the root to allow for shortened SMS-friendly URLs that still give you a good idea where you're going.

0
0

Apple will throw forensics cops off the iPhone Lightning port every hour

Charles 9
Silver badge

Re: 5-dollar wrench

Or if the suspect is a masochist (likes getting hit) or a wimp (faints at the sight of it, too easy to intimidate). Couple this with being a loner (no family or friends to threaten) and you have basically no way in.

2
0
Charles 9
Silver badge

Re: If cops had their way...

Thing is, there's no electronic equivalent of a battering ram.

6
6
Charles 9
Silver badge

Re: Why didn't they operate a 1 hour lock-out after five (or whatever) failed attempts?

Now repeat it over and over and you start asking, "Now was it correcthorsebatterystaple or donkeyenginepaperclipwrong?" Even with mnemonics you can get mixed up, especially if you start mixing up mnemonics.

22
0

Citation needed: Europe claims Kaspersky wares 'confirmed as malicious'

Charles 9
Silver badge

Re: Microsoft windows spied on your computer directly

You got proof of that? And how did the data get out, given not a lot of computers were online then?

4
0

'Moore's Revenge' is upon us and will make the world weird

Charles 9
Silver badge

Re: A chip in everything...

No, they always strive to make things last until just after the warranty period as well as find ways to make breakages look like tampering which gives them an excuse to refuse warranty jobs.

1
0
Charles 9
Silver badge

Re: Article misses a critical point

"a) Nothing is perfect, but the KISS principle has generally proved a useful way of mitigating that inconvenient fact."

But it ignores two other unfortunate facts of life: the existence of necessary complexity and the nature desire of humans for black-and-white answers in a world with infinite shades of gray. IOW, sometimes the problem at hand has no practical solution (and it's also not as easy to prove it as Turing's Halting Problem proof), yet few are willing to propose to the customer, "Sir, you can't get there from here."

"b) Suggest a better alternative default than 'do one thing and do it well'."

OK, how about "Don't Trust Anything"? The main problem with modern computing is that you can't really trust anything: not the user, not the process before you, and not even the process after you. Things CAN and DO break, and not always for obvious reasons. We're even reaching the point where a "Hello World" can break something serious. Assume that the process before you lied to you about your available resources while the one after you will probably misunderstand you. This Brave New World of computing is probably going to require a total rethink on how we approach solutions: may even force a retreat back to the days where one cannot assume much and may need to do as much as possible with as little as possible (especially with regards to external resources).

1
0

In defence of online ads: The 'net ain't free and you ain't paying

Charles 9
Silver badge

"...and as someone mentioned before, once a person sees how nice the web is with an adblocker, there's no going back."

Until they makes things miserable for people WITH ad blockers. Like the Mafia. Make an offer you can't refuse (You wanna play? Let us in or no dice, and our content is exclusive) and watch them come crawling back like the drug-addled losers they really are.

They can't go back without ticking off the higher-ups, so the only alternative is to Wall the Internet and see if people start going, "Stop the Internet! I want to get off!" In which case, it's just back to the billboards, product placements on TV, junk mail, and cold calls from outside jurisdictions...

0
0
Charles 9
Silver badge

Re: Wheres the trust?

But CNN is in the US (based in Atlanta), which DOES have what you describe in their First Amendment, yet US news is considered LESS reliable than elsewhere, which makes you wonder. Is the Constitution in the end little more than ink on a page?

0
0

Oddly enough, when a Tesla accelerates at a barrier, someone dies: Autopilot report lands

Charles 9
Silver badge

Re: When will people learn

"If it believes the driver is still not responding, it will engage hazard flashers, pull the car over and stop."

Is it just me, or am I picturing one of these going into the ditch when it tries to do this on a road with no shoulders?

0
0
Charles 9
Silver badge

Catch-22

What you propose, however, is a Catch-22.

Because the ONLY way to make it considered trustworthy on public roads is to TEST them. But the ONLY way to test them reliably is to use public roads. There is NO substitute.

0
1
Charles 9
Silver badge

Re: ABS is OK

"CC: No, because I tend to lose concentration and my reaction time drops."

See, it's the opposite for me. Not having to worry about the speedometer and my foot's position on the accelerator allows me to keep my head up and scanning the road better, especially in areas prone to "bear traps" (jurisdictions that live off outsider traffic tickets).

0
1

PETA calls for fish friendly Swedish street signage

Charles 9
Silver badge

"Which has the greater right to exist, a cow or a cockatoo?"

How about one cow versus TEN cockatoos? Plus there are those who would argue we've over-predated the planet and are overpopulated right now, meaning unless we ease ourselves down, there's going to be a day of reckoning, followed by a population crash which we may not survive (not my thought, but I can see the reasoning at least).

1
0
Charles 9
Silver badge

Re: Mad Cow Disease

Particularly since cows and other ruminants are herbivores. There's a reason their guts are set up the way they are, as there are few ways to properly digest cellulose. Ruminating stomachs happen to be one of those few ways and probably the only one that doesn't involve (literally) eating shit (which is what rabbits and other cacophages do to give the cellulose a second go-round).

2
0
Charles 9
Silver badge

Re: Just let them fade into obscurity

"The whole point of blackmarking them on mainstream media is so they get relegated to the fringe publications which are inhabited by people just as crazy as they are, if not more so. So in that case, let them have at it."

But someone crazy enough will just plan something SO ostentatious that the MSM will be FORCED to cover it...or risk getting scooped and panned for not covering something THAT big. That's why ignoring bullies doesn't always work. Some are willing to go further than survival instinct will allow.

2
0

The Register - Independent news and views for the tech community. Part of Situation Publishing