* Posts by ElReg!comments!Pierre

2711 publicly visible posts • joined 22 Jun 2009

HPE chief exec Neri: US-China trade spat? Meh, that ain't no thang for us

ElReg!comments!Pierre

Little effect on HPE's bottom line, or on customers?

As a CEO, his only accountability is to the shareholders. If he's confident that the sales teams will be capable of gouging more cash out of customers, there will indeed be "little effect", from this perspective.

Here are another 45,000 reasons to patch Windows systems against old NSA exploits

ElReg!comments!Pierre

Re: Is anyone using UPnP anyway?

Many people don't know what a "TCP/IP network is" - and it's not a mandatory knowledge. When you use a drug you're not required to be a chemist of physician to understand what's in and how it works - you do expect it work to heal you and not to kill you.

Everyone above age 10 is expected to know the basics of medicine safety, electricity safety, the dangers of a bottle of bleach, road safety etc. But suddently when it comes to them 'puters, everyone is expected to be a bumbling moron and stay that way forever? I'm sorry, that is a ridiculous point of view. Especially as with today's ubiquitous config-by-webpage, the instructions on what to do and not do with the medecine you just got are no more complicated than setting up port forwarding (the fact that no-one really reads med notices is another problem ; you are expected to)

ElReg!comments!Pierre

Re: Is anyone using UPnP anyway?

the problem with UPnP is that it is designed for the internal network

The problem with UPnP is that it is designed for lazy bums who can't be arsed to spend the whole 5 minutes it takes to configure their network properly when they get a new toy (/game /printer, whatever).

ElReg!comments!Pierre

Re: Is anyone using UPnP anyway?

That button is for WEP validating

Funny that it would be labelled UPnP then, and on devices not offering WEP (some not having wireless at all, some not being network equipments) but if you say so ...

I know why UPnP exists, I just never met anyone using it. But apparently I lived in a shielded bubble of sanity.

ElReg!comments!Pierre

Is anyone using UPnP anyway?

I know a lot of gear used to come with "UPnP" pushbuttons but I've never witnessed anyone actually pushing one. I've seen ticked "UPnP" boxes in config webpages, but when asked, the culprit invariably answers "That? Oh, it was ticked by default, I don't know what it does so I left it alone".

Big Blue shoos Db2 blues before rogue staff turn the screws in hijack ruse (translation: patch your IBM databases)

ElReg!comments!Pierre

Re: Or you could use a grown up database ...

Beat me to it. Apparently our DBs are safe ;-)

See this, Google? Microsoft happy to take a half-billion in sweet, sweet US military money to 'increase lethality'

ElReg!comments!Pierre

MagicLeap

MagicLeap, [...] also went for the contract, but failed to win it because, you know, its system is garbage.

Wait, if they went for the contract they must have provided at least a specs sheet (probably not a working prototype, as they are probably still working on one ;-) ). Isn't that kind of application for pork barrel subject to disclosure, should someone ask?

Why is my Windows 10 preview build ticking? Microsoft reminds users that previews have timebombs

ElReg!comments!Pierre

Re: Isn't it just wonderful ?

Waiting for Linux to do everything I need doing.

OK, I'll take the bait. That would be?

GCHQ pushes for 'virtual crocodile clips' on chat apps – the ability to silently slip into private encrypted comms

ElReg!comments!Pierre

Re: Not really what they have in mind

(as for transparency, they most certainly plan to prevent "providers" from disclosing how and when such "ghost" accounts have been used)

ElReg!comments!Pierre

Not really what they have in mind

I don't think GCHQ plan to ask anything; they want "ghost" accounts able to slip in unnoticed, without the communication provider's authorisation: "We expect providers to validate that such an authorization is in place, but not try to independently judge the details of the case.". That means blanket pre-auth to bulk spying, no oversight or record-keeping needed, thankyouverymuch.

GTA gamer cuffed, charged after PS4 live mic allegedly overheard him raping teen girl

ElReg!comments!Pierre

Re: Waiting for The Dail Mail et al...

Stellar piece, thanks for the link. A textbook example of why politicians should not be allowed anywhere near statistics.

The whole argument is based on the assumption that the defendant is necessarily guilty, so "the rate of conviction" necessarily needs to increase. Hey, I have the perfect solution: let's scrap juries and trials altogether and automate the whole thing: online declaration, automatic sentencing of the accused within 10 seconds, print your receipt, problem solved (reaching the 10 seconds response time might require some improvement in the UK's network infrastructure though).

ElReg!comments!Pierre

Re: Waiting for The Dail Mail et al...

Nah, we're not in an election cycle.

ElReg!comments!Pierre

Re: 18 year old man

In most countries, 18 yo = a man. The US has this strange distortion where you are no longer a kid at 18 but not a real adult until 21. I like to call it "Adulting probation". It serves no special purpose that I can think of. But again, we're talking about a legal system that will happily flag kids as paedophiles for sharing frisky snaps among their same-age friends (not that it is a good idea, mind).

ElReg!comments!Pierre

Beware of bias

If you believe meta-stats on these things (and I kinda do, with caution) most of these offences are not reported at all (social and family pressure, there's a whole lot of litterature on that). Statistics (should) only look at closed cases with a conviction (to avoid unfounded witch-hunts).

It follows that the only people monitored for that kind of offences are prior offenders. The aforementionned social pressure also makes it much easier for victims to report abuse once the offender has been outed by another victim.

So of course the rate of recidivism will appear high, compared to the mostly unreported "Primo-offenders". That's just basic math. It's also quite sad. Still no reason to think that " it is highly unlikely that they will stop.", as you put it.

ElReg!comments!Pierre

Reporting bias

That kind of stupidity often makes the news and leaves a strong imprint in our mind, creating the impression that most criminals are stupid. In reallity the mildly stupid ones are only caught after lengthy and costly investigations, the clever ones may never get caught, and the very clever scum are careful to use legal loopholes.

International politicos gather round to grill Dick, head of Facebook policy, on data slurping

ElReg!comments!Pierre

Re: I'm not clear on UK law, or the specifics of this case...

While we are getting close to a point where nations declare war on corporations and vice versa we are not quite there yet. Yet.

Declarations of war are for when Nation-States disagree with each other.

We are at at the point where corporations can bring Nation-States before the courts and extract fines out of the People. One would hope that the Govs could grow a pair and reciprocate.

ElReg!comments!Pierre
Unhappy

I'm not clear on UK law, or the specifics of this case...

but how far can you go before you are found to be blatantly taking the piss? Isn't there some kind of "contempt of the whole f*cking nation" that can be brought up in order to get the beginning of an answer or face huge fines?

I mean, you can be thrown into jail for forgetting your encryption key, FFS! No "I'll get back to you about that" allowed.

(I do understand that the procedure by which the trove of docs was acquired is a step in the right direction, but it's very mild and not even directly targetted at the main defendant)

Excuses, excuses: Furious MPs probe banking TITSUPs*

ElReg!comments!Pierre
Pirate

Re: Motes and beams

they have great difficulty in surviving events that prevent usage of head office or similar key office location

Ha, but that would be why we have sophisticated access control with impressive turnstiles at every point of entry on "office" sites *. Only the card-carrying permanent employees can access the premises. Well, the externalized staff too of course, but that's barely half the workforce. Oh, and the cleaning staff also, who may or may not speak the language at all and may or may not share a couple access badges among the 10 of them. And anyone wearing a high-visibility jacket and carrying a toolbox of course, because no one wants to upset management by preventing the limited-access loo on 13th floor from being fixed ASAP.

Security, as seen by the higher-ups, is often anything showy that won't interfere with their bad practices in any way. While poking a bit in a playful manner, I recently found out that we have a specific rule on our firewalls that prevents IT people from accessing known webmail sites. Sensible, you'd think it's there to avoid unfortunate leaks and mitigate spearfishing attacks. BUT it only blocks IPs associated with IT ... Similarly, while we enjoy unfettered access to Youtube, I found I had to file a request to have access to IBM's official Z/OS documentation. It had been flagged as sensitive ...

* The DCs have a 3-step procedure complete with ramcar-proof barriers, guard dogs, and bulletproof glass, but of course you can't subject management to such a rude welcome.

Seeing as Bitcoin is going so, so well, Ohio becomes first US state to take biz taxes in BTC

ElReg!comments!Pierre

Re: Just for curiosity...

Unsurprisingly, xkcd has an estimation. Unsurprisingly, the answer seems to be "more than the value of a bitcoin". Of course the cost of electicity and the value of the bitcoin are not universal constants (I like understatements), so YMMV.

ElReg!comments!Pierre

Gimmick

My view is that it's not really going to be a "game-changer", or "shift expectation", "disrupt" or "leverage" anything (you get where I'm going) -nor is it intended as such. Someone wants to be seen as "on top of things", perhaps to attract the next bubble-based companies, or perhaps to boost one's resume for the after-office life.

In short, "blockchain" hit the mainstream hot-topic list recently, some amount of political piggybacking is to be expected.

That's still pretty tame. I've heard suggestions of using blockchain-based mechanisms for core Bank applications -ones that are subject to very tight real-time legal requirements, and hence necessarily centralised by design. For some people "distributed" and "centralised" are just words, while "blockchain" is a career opportunity...

Lush scrubs its card-processing servers squeaky clean

ElReg!comments!Pierre
Pint

Re: Mummies Basement

Post probably best understood with an alcohol-to-blood ratio matching that of the poster, I suppose. My beverage stash is lacking at the moment, will work on that ASAP.

ElReg!comments!Pierre

Well, the store doesn't perform the authorisation, the bank does. And there are pretty strict legal requirements for the anti-fraud systems. Not sure they could actually do what you're suggesting (the bank would probably squarely refuse).

It is also entirely possible that the bank's auth system was at fault there. A, erm, friend of mine told me it kinda happened recently at the bank they are working with (not in the UK).

NASA's Mars probe InSight really has Mars in sight: It beams back first pic after touchdown

ElReg!comments!Pierre
Thumb Up

“If we’re going to send humans there, it’ll be useful to see how often it gets impacted.”

"If"

https://en.wikipedia.org/wiki/Laconic_phrase

Overall a nice demo of how political wardrum bangers can't completely stop international scientific collaboration: the main instrument on the probe, the state-of-the art SEIS seismometer, is French. Yay for international science, and we can only hope that angry tweets won't obliterate that in the future.

Reverse Ferret! Forget what we told you – the iPad isn't really for work

ElReg!comments!Pierre

As happens with most cultists, you've been had

Enough said.

(I do own an iPad, in case you pictured me as a rabbid anti-fruit nutter; it's pretty cool)

Talk about a cache flow problem: This JavaScript can snoop on other browser tabs to work out what you're visiting

ElReg!comments!Pierre
Pint

Re: Not with NoScript it isn't. @AC

The brand is "security by WTFizzatshitRuserious"

ElReg!comments!Pierre
Pint

Re: Cache occupancy? Hmm.

The "attack" doesn't seek precise timers, so as long as your background task can get hold of the cache faster than (or as fast as) the browser does, I guess it could confuse the attacker indeed. Caveat: most background tasks would be set, by design, to low priority, allowing browser activity to "emerge" nonetheless. Re-nicing Prime95 to -20 and the browser to +20 might fix that, although I'm not sure I'd want to browse the web from such a setup.

ElReg!comments!Pierre

Re: You might as well walk infront of a train with a red flag.

Funny you'd mention that*, as allowing JS exactly has the effect you describe, i.e. slowing down the 'tarwebs, sometimes to the point of uselessness. When it's not crashing it entirely, that is.

Of course considering the rest of your post it's entirely possible the whole thing went "WOOSH" over my head, my sense of irony being a bit off these days.

*appart from the obvious fact that it was supposed to be cars, not trains

ElReg!comments!Pierre

Re: It should only take 10 minutes to negotiate a fix for this

They're fingerprinting the processor cache, so the script would "detect" a page loading in another browser (whether it could identify it rather depends on how the browsers load pages and how the fingerprint database was constructed).

The aim for this technique would not be to construct a map of every website you visit, as their "open world" setup shows. Rather, it would seek to determine if you are visiting a "sensitive" website, and as such are overdue for a friendly chat in the back of an unmarked van.

ElReg!comments!Pierre

Re: Not with NoScript it isn't. @AC

As I understand it, the authors dismiss the "other things [...] going on" because the browser uses a large proportion of resources, and the noise is "filtered" because "deep learning" (which would in most cases eliminate basic, predictable system activity). One of the problems, in my view, is that this "broad" approach is unlikely to work if there is significant unpredictable system activity going on at the same time (say, you're retreiving your mails via ClawsMail while loading the page).

Also, even if 'net browsing is the only thing going on, I wonder how well the technique works when tab number increases. I'm guessing "not well at all". My 2 primary uses for tabbed browsing are comics binge-reading, and wide-scope documentation. In both cases I often have 10+ tabs loading at the same time, good luck with that, cache-lurkers. (Well of course I don't allow JS to begin with because I like resource frugality -and not because I have shitty slow 'puters, as some may malignantly suggest- but that's beside the point)

ElReg!comments!Pierre

It also relies on connection speed, browser brand and version, websites staying the same over time -the attacker needs to build a fingerprint database-, and overall ressource consumption. As such, it might achieve 70% accuracy in a lab setup with a limited set of fixed pages, constant and known connection speed, known browser and no other system activity, but I can't see it working in the real world.

Bordeaux-no! Wine guzzling at UK.gov events rises 20%

ElReg!comments!Pierre

cost of French wines

Short answer: yes. Long answer: no.

TL.DR blurb :

Well, as a French national with a wide experience in international wine-tasting (hobby, not pro), most of the VERY expensive bottles are mostly prestige. However, there is a fundamental gap between how French people (and international experts) rate wines, and how French wine is sold to the hapless prestige-seeking anglosaxon crowd. In France you will absolutely not buy a "Merlot" or a "Cabernet" or anysuch, unless you're looking for a cheap cocktail mixer or a way to get drunk for cheap. You'll look for local "terroir" denominations, which are very specific and VERY seriously enforced, some spanning only a few hectares. Within these you'll look for a specific wine-maker. This winemaker will often offer you one or several "special" cuvées made of grapes from patches as small as a few hundred square meters, because the soil and sun exposure there makes the wine different (you may or may not like the difference; the choice is yours). When "seriously" buying wine, it is customary to go around the place and sample stuff from most of the winemakers in the area before making your choice. For the city-bound folks, relying on intricate stock-exchange-like guides is common.

Of course, then comes the price. Some Bourgognes and Bordeaux can be absolutely magnificent, but don't expect a low-price one to be any better than a random New World wine. In fact, in the low-price range, I would STRONGLY advise against Bourgogne or Bordeaux. If you MUST go French, look into the Loir (not Loire) valley, a lot of interesting stuff going there at the moment in the "light wines" category. And why not look into your own local production ? I hear the Adrian Wall is not the absolute north limit for winemaking anymore.

In short, there is no such thing as "a good wine". There are wines you like and ones you don't. There are times and moods, and wines to go with (If I was to cheaply woo a Tyne and Wear lady used to Newcastle Brown, I'd pull out an unnamed Merlot from southeastern France and some chocolate, for example -OK, don't push, I'm leaving already)

OpenStack 2018: Mark Shuttleworth chats to The Reg about 10-year support plans, Linus Torvalds and Russian rockets

ElReg!comments!Pierre

Re: Are your passwords similarly formatted to your usernames?

Some are.

Pardon the belated answer, it was unclear to me whether you asked me or "K" up there ; the question seemed legit for both ;-)

ElReg!comments!Pierre

Re: "the guy ... who engineered machines to beat Gary Kasparov"

And the remaining 0.09 % are, I suppose, longing for a well-deserved brew ...

A while ago I was skeptical about Ubuntu in the DC, but they do seem to manage. Even in our IBM / RHEL shop they managed to slip a few installs here and there. I can't really comment on reliability / support (too few of them compared to RHEL) but nothing catastrophic. That being said, given the recent turn of events they'll probably be progressively replaced by RHEL boxen in the coming years ...

From directory traversal to direct travesty: Crash, hijack, siphon off this TP-Link VPN box via classic exploitable bugs

ElReg!comments!Pierre
Joke

Re: TP-Link

While you raise interesting points, that "If" of yours will not answer to being called laconic.

ElReg!comments!Pierre

Re: TP-Link

Well, if you're so inclined you could look up the list of cheap routers supported by openWRT, and set up your own security rules. Sensible guidelines are available, meaning that depending on tour knowledge you may learn a thing or two along the way, and if you do mess up, you'll know who to blame!

LastPass? More like lost pass. Or where the fsck has it gone pass. Five-hour outage drives netizens bonkers

ElReg!comments!Pierre

Re: My grandpa always said

>I am old enough to remember times when people wanted to run their own servers because Gmail and Outlook had issues

Oh, I see. A genuine Graybeard then ...

Hands on with neural-network toolkit LIME: Come now, you sourpuss. You've got some explaining to do

ElReg!comments!Pierre

Who tests the testing tool ?

In an xkcd-esque musing, I now consider looking into a model that would use an arbitrarily weighted combination of Fourier transform and metadata to classify images, just to confuse LIME users.

ElReg!comments!Pierre

Confirmation bias, too

I think we can safely assume that these models will soon be trained on image sets classified by other AI models, amplifying exponentially any bias...

Of course, as is often the case for denounced AI flaws, the same can be observed with the flesh version of AI : NS (Natural Stupidity).

Intel peddles latest Xeon CPUs – E-series and 48-core Cascade Lake AP – to soothe epyc mygrayne

ElReg!comments!Pierre

Re: Roadmap timing

Well, Epyc is already being shipped with the next-gen coming soon, so Intel just HAD to announce something -anything- just to look like they're not sitting on their arse milking customers dry.

30 spies dead after Iran cracked CIA comms network with, er, Google search – new claim

ElReg!comments!Pierre

Perhaps they did respond,

On one of their secret sites. Someone fire up the Google !

We (may) now know the real reason for that IBM takeover. A distraction for Red Hat to axe KDE

ElReg!comments!Pierre

One "word"

JWM.

While I once enjoyed the cheerfulness of icon-based desktop environments, I realized quite a while ago that nothing beats the brutal efficiency of a lightweight windows manager + console. I have no particular interest in fancy backgounds, animations or desktop clutter. My computers are work tools, and them being more efficient means more time for me for non-work stuff -like computer games or mindlessly posting on El Reg ... oh wait. Bugger

ElReg!comments!Pierre

Re: Does anyone use an IDE on RHEL anyway?

> With IBM buying RH and the decision to kill off KDE, Devuan is now looking really good.

Are you suggesting that Devuan wasn't looking very good before ?

As for IBM's gobble, from where I sit it may not be so ominous : RH commitment to the basics of the *NIX philosophyvhas been, erm "flaky" (to put it lightly) for some years now, and IBM is arguably not the worst sugar daddy to this respect (remember that RH was also cosying up to Redmond and Mountain View recently... and IBM may have lost some open-source love, but let's remember that it did save Linux' hide from the Darlek (*)(**) ).

As for the reasons of the gobble, everyone seems to be focussing on market value and growth speed. IBM strikes me as a steadiness-oriented business ; a mobile fortress rather than a racecar. It may not appeal to the younger generation, but it is key to IBM's core market even to this day : corporations that rely on mainframes. And to anyone who have worked with IBM customers the gobble was quite the obvious move : for the big'uns, while the backend is Z/OS, the frontend is RHEL.

(*McBride)

(**OK that more corporate interest than kindness of hart, but still)

The D in Systemd stands for 'Dammmmit!' A nasty DHCPv6 packet can pwn a vulnerable Linux box

ElReg!comments!Pierre

Re: Time to troll

I know about the Devuan images and even have downloaded the appropriate ones. That's when the aforementionned laziness of mine comes into play (the darn machine I singled out hosts a web server, a ftp server, a mainframe emulator and a few other toys that I'd rather not reinstall and reconfigure from scratch ... )

ElReg!comments!Pierre

Re: Time to troll

> Just like it's entirely possible to have a Linux system without any GNU in it

Just like it's possible to have a GNU system without Linux on it - ho well as soon as GNU MACH is finally up to the task ;-)

On the systemd angle, I, too, am in the process of switching all my machines from Debian to Devuan but on my personnal(*) network a few systemd-infected machines remain, thanks to a combination of laziness from my part and stubborn "systemd is quite OK" attitude from the raspy foundation. That vuln may be the last straw : one on the aforementionned machines sits on my DMZ, chatting freely with the outside world. Nothing really crucial on it, but i'd hate it if it became a foothold for nasties on my network.

(*) policy at work is RHEL, and that's negociated far above my influence level, but I don't really care as all my important stuff runs on Z/OS anyway ;-) . Ok we have to reboot a few VMs occasionnally when systemd throws a hissy fit -which is surprisingly often for an "enterprise" OS -, but meh.

What could be more embarrassing for a Russian spy: Their info splashed online – or that they drive a Lada?

ElReg!comments!Pierre

Re: 6 downvotes and counting

On a related note, in Canada US (GM) cars are generally rated as having a 5-years life expectancy - roughly half that of any other car...

ElReg!comments!Pierre

Re: 6 downvotes and counting

> If you know 30 people who own British cars, you've got a reliable monthly income.

Coming from the land of HD Motors, AKA "Our bikes need a supertanker on hold for your daily gas needs -and don't you forget your twice monthly servicing", that's a bit rich ! Even the now "resting" (in the Monthy Python's parrot way) Brit motorbike industry was never that bad !

ElReg!comments!Pierre

Re: 6 downvotes and counting

Reminds me of an old joke. You know why rich people drive Jags, but REALLY rich people drive Bentleys ? Well, everyone can own ONE expensive car, but maintaining a rolling fleet of three and having a mechanic on the payroll is what real money is for...

ElReg!comments!Pierre

Well, 2 pissibilities here

-GRU registered a car for one of its agents using a spoofed innocuous adress

-GRU set up a fake huge uni campus complete with fake students and fake profs and fake janitors etc to centrally register all its vehiclesn using it's agents real names.

I know which would make the best Bond movie !

Secret IBM script could have prevented 11-hour US tax day outage

ElReg!comments!Pierre

Re: Interesting requirements

In a well-managed production environment, an incident doesn't impact availability -or shouldn't, at least. So they have 4 hrs to fix individual incidents, and should things go very wrong they are allowed 25 min downtime per year. The 2 numbers have no direct connection.

> Which is less than the time allowed for them to even notice a problem exists at all.

Where I work we are held to a 15 minutes deadline on incidents, which means that the client is guaranteed that within 15 minutes of any potentially serious incident the client will have been informed and technical remedies will have been initiated. I hear that's not uncommon.

ElReg!comments!Pierre

Since we went geoplex we're getting these 5 9s. So, not impossible.