Posts by SImon Hobson

Re: How about what BT/VM do?

now it does not broadcast a name at all.

Which is actually a negative level of security added.

Setting the SSID to hidden doesn't actually hide the SSID from anyone who wants to see it. In actual fact, it makes it get broadcast more often under many circumstances - just not in a way that makes it appear in normal users' WiFi list.

Why ? Because if you hide it, every device that you join to it must then broadcast to find it - in effect shouting "Is the network 'EffOff' around ?" Thus instead of one router advertising your SSID, each of your devices will be doing it - IIRC they'll be doing it all the time, when not connected they will be trying to connect, when connected they will be looking for other base stations that might have a better signal to roam to. For bonus points, your mobile devices will use more battery power as well.

So any WiFi analyser will show the hidden SSID network exists, it takes naff all effort to actually find out what that SSID is.

But, this is all academic anyway - unless the hacker is in close proximity then they won't be trying to connect to to your WiFi. Hard to do that from half way round the world.

Re: A never-ending study on how to mess up humans...

Another reason to use a ring is that it allows people to walk from one place to another. If you put two modules on the ends of a beam, then to get from one to the other you have a long "climb" to get from one module to the centre and then a long "decent" to get to the other module. Climbs and descents significantly increase the risk of injury from falls compared to something where you can walk "on the flat".

Re: Damn ..

URLs are hardcoded in the DB and so the DB needs much fiddling with to move it between URLs.

Just to correct that misinformation ...

Base Wordpress has just two settings to change, both of which are on the main settings page. So moving a Wordpress site is "change these settings, export DB, copy/sync files to new location, import DB". However, some plugins do hardcode URLs etc - but that's not WordPress's fault.

> Doesn't DNS get cached in various places?

Yes, but ...

This malware probably doesn't use the local cache - in fact it specifically won't because that would mostly defeat the purpose of the malware. It most likely looks up (or is told) the IP address(es) to attack and sends it's DNS queries directly to there - thus bypassing DNS caches completely.

Of course, ISPs (and savvy ned users) could block outbound DNS except to/from certain addresses - from the ISP side, they could restrict users from using anything but the ISP provided resolvers (and then get a right slagging off from tech savvy users fed up with the sort of crap resolvers many ISPs run). Even then, all the bot needs to do is generate multiple requests (eg a.target.tld, b.target.tld, ...zzzz.target.tld, aaaaa.target.tld, ...) and the cache is significantly less effective as each new request will cause a new lookup to the targets DNS servers - though this will also affect the resolver due to the rapidly increasing size of the cache.

But that's only DNS, you can't block (for example) HTTP traffic without effectively killing the internet !

This is where the botnets score. If a single device (or small number of them) is sending massive amounts of traffic then that's relatively easy to spot and block. But with a distributed attack (the first D in DDoS), you only have to generate a small amount of traffic from a huge number of devices. If done right, the DoS traffic is undetectable in amongst the legitimate traffic from the end users hosting the infected device.

Re: FTTP Order...eeek

Over reliant use of contractors

There are economies from buying in expertise that isn't your core business - but then BTOR are big enough that they could keep their own gangs busy.

Of course, if one were of a suspicious mind, the use of contractors might look like a means of getting around employment law. Permie staff have rights, staff working for a contractor that doesn't get it's contract renewed (because someone else has undercut them or they didn't meet the impossible targets set) get redundancy without any comeback. And I'm sure the ability to play contractors off against each other in a Dutch auction hasn't even entered their minds !

Re: The UK is not educating people in Tech...

That means you are approaching the problem incorrectly.

In this case, no I'm not. I do have some friends "on the inside" and they're all telling me the same thing - the company is actively clamping down on any attempt to bypass HR, with "getting a mate to introduce you to the manager" was a well known to bypass the non-hiring process. For some jobs, but I;m told, none of the ones I'm interested in, there is an option for an employee to recommend someone (for which they get a bounty if that person gets hired).

The HR system there is clearly designed to prevent them hiring people. It's obvious to both applicants on the outside, and to people on the inside - especially frustrated managers who know that there are netter applicants (via word of mouth) than the handful that HR ever let them consider.

In one case I've been told about, the majority of applicants actually put forward for consideration were not actually eligible to work on the site due to nationality - now that's taking "broken" to a whole new level !

Re: Waiting for the crash...

Given DNS has been architected to spread the load

No, it is not to spread the load. DNS is architected to spread the administration so that the DNS for a ${something} can be managed by someone local to/supporting that ${something}.

Thus I can run my own DNS servers for my own domain - all they have to do is serve up record for my domain to outsiders, and server up resolved records to internal devices. The DNS architecture allows me to do that easily by setting the NS records (and glue) at the registry - rather than being beholden to ${some_big_organisation} and whatever they let me do with it.

That latter scenario was the case in the early days of the internet, when you had to get an entry put in a global hosts file, which was then synced out periodically to the few hundred/thousand systems then online. As you can well imagine, that didn't scale too well as the internet grew - hence why the heirarchical DNS as we know it today was developed.

Spreading the load is done by the same techniques that are used for spreading other loads. For example, 8.8.8.8 won't go to just one Google server - it'll be anycasted and load balanced between probably many thousands of servers spread across different parts of the world and internet. That load sharing isn't specific to the architecture of DNS.

Re: Solution looking for a problem

Not only that, but there is pretty well zero point in a connected toaster - until we also have a robot that can get the bread out, pick out a couple of slices, spot that it's not turned green and fuzzy yet, and pop it in the toaster. But of course, if we have such a robot, it can pop the lever down to turn on the toaster.

Ditto the kettle - what point is there being able to turn it on remotely unless you can fill it remotely. Fill it up beforehand, well doesn't that make the "you can do stuff remotely when you forgot before going out" bit rather moot ?

Re: Amazon

> They seem oblivious to the consequences that this flags up.

Quite the reverse.

There's no consequences for them for situations like this - they just get to shift more tat in their war with eBay.

The consequences of admitting to a problem are more of a concern - hence why they'll not admit to the possibility of one.

Re: 259 individuals

Hard to know if you are being serious or sarcastic.

259 is 259 too many. Just think about it, one day you find your bank account has been closed and your driving licence revoked. Now what ?

Will your creditors, such the the mortgage company, take the attitude "that's OK Mr AC, we'll give you all the time you need to deal with this misunderstanding" or will they tell you "Sorry Mr AC, your mortgage is being called in, you've got until next Wednesday to repay it" ? If you're renting, then expect to be getting a notice to quit quite quickly after you stop paying the rent - or when the landlord is told you're an illegal immigrant and he gets a £3000 fine (or possibly even prison under new proposals) if he doesn't serve a S21 notice on you immediately.

Your employer isn't too likely to be impressed either - once you are declared an illegal immigrant then your employer has no option but to sack you.

So there you are - freshly out of a job, no money, no home, and fighting to clear your name from a presumption of guilt. But look on the bright side, when they round you up, you'll have a roof over your head in the detention centre.

Personally, I think that not one person should have to go through any of that. That officials seem to think it's a price worth paying is doubly bad. It's certainly not what I think "Great" Britain should be about.

To be fair to Owlet, they are not selling ... their baby monitor as a medical device.

No, but (I assume) they are selling it on it's features which effectively means they ARE selling it to parents who expect a certain level of functionality. Ah, checks website, they most certainly are - with statements like "Designed to alert you if your baby stops breathing", "Proactively Monitors your baby’s heart rate and oxygen levels so you can have peace of mind", and "83% of parents who report better sleep while using the Owlet Baby Monitor". No doubt there that the expectation intended to be set is that you can fit this device and you can relax a bit "safe" in the knowledge that it'll alert you to problems.

Put another way, if you aren't going to rely on any of it's monitoring functions, then "why" buy it ? So if you assume that the device can't reliably alert you if the baby stops breathing, then your option is to check regularly - clearly if 83% of parents say they sleep better, a heck of a lot of parents are using the device to reduce the frequency they need to check.

OK, so you could argue that it may provide an alert in between your regular checks. Well unless there is some certainty (which it appears there isn't), then you can equally say that "the baby may die without any alert" which I assume won't be appearing on their website as a testimonial !

As to the disclaimer in the agreement - we all know how many people read those. So maybe the sort of person to be found in ElReg's forums will understand the limitations - the "average" person will believe this this device is something they can "rely" on.

Re: tl:dr

> It was the "We" in a certain set of questions that irked me

Especially when it comes to "does senior manager support IT" (or whatever the question was) - I bet there's a lot that think it doesn't !

Re: Pitfalls of G.fast

There is potential for that device to send 240VAC onto the BT copper pair

There is already that. Just think that pretty well most phone lines these days will have some mains powered kit plugged into them - none of it under BT's control, and some of it from (staying polite) less conscientious manufacturers/sources. And of course, this existing kit will be subject to all the same potential problems (damp, damage, etc).

The other safety concern is having equipment powered from multiple premises - and thus creating a potential for a fault in one property to send a dangerous voltage into another. In practical terms this is unlikely as it would need multiple faults - a "power" fault in one property, a failure of the AC-DC converter in that same property causing dangerous voltages to be sent up the wire, a failure of the isolation on the other end of the wire (inside the BT device, so under their control), a failure of the isolation on another port allowing that dangerous voltage back out again, and a failure of the isolation at the other subscriber's end allowing them to get a shock. That's quite a catalogue of failures that have to happen at once - and having them occur over time and not be noticed is unlikely as some of them would affect service.

There is also the issue of lightning - but that is already a potential issue so I don't think there's any change in risk there.

Re: Glazed over at the mention of...

> Glazed over at the mention of... during reading comprehension classes

There, fixed it for you.

There is absolutely nothing in the article about this being "cloud linked or landfill" - had you actually read and comprehended it. This is about the manufacturer offering an OPTIONAL internet based update service for things they manufacture using these modules. That does NOT mean that the devices need to be cloud connected to work - they only need to be online to receive updates via this service.

Now, what a manufacturer decides to do with the modules is another matter. If the gadget manufacturer decides to make another Revolv then that's down to them - it's is not something inherent from using this module.

Re: Brownouts don't really work anymore

The only such event I've seen written up is Sizewell/Longannet in 2008.

Blimey, I hadn't realised so much time had passed :-(

Anyway, I'm not sure my point was clear.

The short term operating reserve contribution from interruptible demand is no longer available for emergency response during peak hours. It's already in use for meeting routine peak hour demand.

Indeed I had missed your point.

You make a good point that the measures available to the controller back then are largely not available to them now when they are most likely to be needed. Still, we're busy installing new measures - we all know what smart meters are really all about !

> Also if all food producers radio tagged all food with what it was and its expiry date.

Nope, that won't make it work either. It would need foods packaged such that the fridge could tell if it is an unopened packaged (in which case see the use by date) - or it's been opened in which case see the "consume within x days of opening" date.

In any case, I ignore those and go by the test that predates all this "use by" and "sell by" malarky. It worked for my parents, and it worked for their parents, and ... I don't recall any of us getting food poisoning (very often).

Lets face it, things like cheese and yogurt are "milk that's gone off" (in a special way). If the cheese hasn't gone green and fury then it's still OK to eat. And my nose tells me if the milk (that isn't supposed to be cheese or yogurt) is going off.

Re: Linux has facilitated the cituation he is lamenting about

> Windows did not allow any such liberties with the PC that is why it is so uniform.

Ah, those who don't remember history.

I can just about remember the early days of "the PC", though I was only involved as a user back then. You caould buy loads of "PC"s from other vendors, that came with PC-Dos from MS, and would run "PC" software. But they really didn't have the uniformity of hardware that people think - there was a lot of variation and MS would provide each manufacturer with a PC-Dos tweaked to suit.

As I recall (rather vaguely through the mists of time), it was some game reviewer in a magazine that coined the "PC Compatible" that people take for granted these days. SHe worked on the basis that if you could take ${random_game} off the shelf, unwrap it, and boot the PC with that disk and be able to play the game - only then was it "PC Compatible".

As so, fairly quickly, all the manufacturers quickly learned that they had to mimic the IBM PC fairly closely (eg putting the serial ports at the same I/O addresses etc) or they'd be labelled as "not compatible" and would lose sales. Thus the "PC Compatible" standard "happened" !

I deliberately say "happened" because it wasn't really designed, it sort of came into being in a very accidental way.

AIUI, the original IBM PC wasn't actually an IBM project. Some small electronics company took a National Semiconductor data sheet/design notes for their 8080 family of processors, and with very little of their own design, made an implementation of a suggested system design. IBM were geared up to "big stuff" (where productivity is measured in how many lines of code you make, not how small you make it !) and as they could see the likes of Commodore and Apple eating their lunch in the small office - bought the company and stuck an IBM badge on it.

Thus the original PC was born, and more or less by accident, the design "choices" made by Nat Semi and some never heard of hardware house became the de-facto industry standard.

.

But Linus is right about ARM. It's not the processor, it's the way every system manufacturer does their own thing - in the same way that the original desktop PC makers did. The difference is that there is no process these days that would pressure any of them into following any standard - eg each phone is made to run a specific OS provided by the device manufacturers, and thrown away before it needs too many upgrades. So the manufacturers really don't give a sh*t how hard it is for anyone else to put a different OS on it - long gone are the days when the games came with their own OS to boot the system into.

In the server world that may change eventually, but not for anything else.

And the modern user (in general) doesn't give a sh*t either as long as they can get their cat videos on FarceBork.

Re: good starting point

> But doesn't provide power to the phone to keep it going if the site power dies.

True, but sometime in the last few centuries, someone invented a device called a battery. IIRC, the NTE used by BT in the trial is locally powered, but has backup batteries. Which is all nice except ...

I've lost count of the number of bits of kit I've come across over the years with dead rechargeable batteries - so I do wonder what the long term plan is for battery maintenance in these units.

> It amazes me for someone who is such a perfectionist that this was allowed to slip in

My WAG* would be that Linus doesn't personally pore over every single line of code. More likely there are several "grades" of dev - with the best and most trusted allowed to submit their own code with little light handed oversight; while at the other extreme, there are devs (notably from the Freedesktop.org camp, see previous stories on Linus's rants) who don't get anything in without someone more trustworthy having vetted it.

* Wild Ar*ed Guess

Re: Business Continuity

> You use two different cloud providers to provision business continuity.

Does that also mean paying double the dev costs for setting it up ?

Notice that there isn't a nice agreed-upon common way of doing stuff across providers ? Good reason for that, all of them are in the business of making it hard for your to not put all your eggs in their basket. Also, there's price barriers put up in terms of traffic going out of the cloud vs internal traffic.

So while I agree with you completely, I strongly suspect that if you are using "cloud" rather than just "online hosting" of your own servers, there's a cost (and complexity) penalty in terms of supporting two different APIs, and regardless of how it's done, cost penalties for traffic in keeping the two systems synced.

Hence, a lot of outfits will rely on the distribution facilities in one cloud provider for their redundancy - and we know how well that works. C.f. when not long ago some of us weren't able to access our "hosted in the EU" Office 365 mail because there was a US based authentication server with a problem !

Re: @Grease Monkey

> It's a little more complicated than that, but I can see why it looks that way you describe it.

There is actually quite a bit of evidence to suggest that BT(OR)does (or at least has done in the past) engage in such aggressive anti-competition tactics. For example, round our way there's a lot of rural greenery - ie not exactly the sort of place where BT OR wants to spend a lot of (other people's - our county councils have given them a lot of dosh) money to build out FTTC etc.

So there is a community project that's been steadily over the years been building out gigabit FTTP. On more than one occasion, their announcement along the lines of "our next expansion of the network will be into X,Y, and Z villages and area" has been quickly followed by a BT announcement that "X, Y, and Z will soon be getting fibre". Absolutely nothing whatsoever has changed in the demographics or geography - the only change is that the customers in these areas will soon have an alternative (and much better) option.

I suppose that you could argue that if the residents in a village show that they are prepared to put the effort in (it's a community project remember) and pay for the quite reasonable connection costs, that might influence the guestimate of what the market is for FTTC. But mostly it looks very much like a spoiler operation - to try and prevent that competitor from getting a foothold by stealing their customers with a promise of FTTC at some future date that amazingly keeps slipping and slipping.

Other examples involve villagers clubbing together and contracting with some outfit to do a microwave link to someone's house and distribute from there. Again, BT suddenly announcing that the economics have suddenly changed - and it's completely coincidental - suddenly looks very much like a spoiler to get enough of those villagers to change their mind and make the project uneconomic. For the FTTC install date to keep slipping once the threat of competition is off the table is again a complete coincidence.

.

So yes, there will be some element of different operators making the same economic case and coming to the same conclusion. But there really is too much of a sh*tload of coincidence for anyone to believe there's no spoiling going on on BT(OR)'s part.

> and probably installed yet another app on your phone

And then, in the name of "usability" you find that instead of being able to push a button to turn it on/off, you have to remember where you left your phone, switch it on, unlock it, find the right app, wait while it connects with the vacuum, and only then can you turn it on. That is, if you didn't forget to plug your phone in, in which case insert another step of finding the charger, waiting till there's enough in the battery to turn the phone on, wait while the phone boots up, ...

Much the same argument about lighting. I have a switch on the wall by the door. It doesn't move around at random, I can't misplace it, it never needs batteries charging, and it works (in human perception terms) instantly - I switch it on, room gets lighter, I switch it off, room gets darker. Even my octogenarian mother can cope with the humble light switch.

> Can't they connect their phones with bluetooth or USB ?

That does, of course, mean knowing in advance that you won't be able to use WiFi and going properly equipped. If you are used, as I am, to just turning on the mobile hotspot and using WiFi then you probably aren't equipped with the right cables, software setup, etc to do it any other way.

Re: FFS- are you sure?

Are you sure? It didn't work for 48% of Britons who voted in a recent opinion poll?

There, fixed that for you ;-)

Yes as already said, there was an enormous amount of crap spouted on both sides. I voted leave for none of the mainstream fear mongering reasons - but because I thin that the pain we'll have from leaving will be less than the ongoing pain would be for staying. It's clear that those with the controls in the EU have no intention of listing to any of the voices warning of the impending shipwreck when they hit the clearly visible iceberg dead ahead.

Re: Horrible fascination

> Magically, they did this without cutting me open. (You can use your imagination but I simply refer to it as Pee-hole Surgery.....)

Ah, I like that name.

When I had to have a stone taken out, I'd have people asking me what seem pretty silly questions - one asked if they wen't down my throat to get to it ! Once I start with an explanation of why there's only one route in, there seem to be a lot of legs crossed :-)

As to what a kidney stone feels like ....

I didn't pass mine, and I'm not sure whether that's a good thing or a bad thing. But having the stone, I would describe the pain as like someone having crept up from behind, stabbed you with a blunt screwdriver and is twisting it around. Meanwhile, someone else has lassood one of your nuts and is swinging off it. All I can say is, the IV paracetamol when I got admitted in A&E was a welcome relief.

Now, I mentioned I had surgery - pee-hole surgery - to get it out. After they'd taken it out, as a day case but kept in overnight, the day case unit and ward failed to properly communicate. So the day case unit send me "out" with some pain relief, the ward didn't give it to me. The first time going to the loo after pee-hole surgery is ... "eye watering". It just isn't describable, and I imagine the aftermath of passing a stone is similar.

People in the know kept saying that it's worse than childbirth.

If it could be induced on demand, a kidney stone would make an excellent torture.

As an aside, according to the CAA, the peak times for recurrence is after 2 years and 7 years - that's when they require re-examination to confirm absence of any further stones for a pilot's medical.

Re: GRE packets?

> ... just block the GRE ports and ignore such requests?

Well that would be what the DDoS management service would do. But it needs the ability to divert all the traffic through a site which a) has the bandwidth and b) is able to apply filters to that volume of traffic.

Most ISPs won't have the means to redirect all that traffic AND filter it - even if they have the upstream bandwidth. Trying to filter it at your own site is useless because it's too late then - a few Gbps of traffic down your 10-100Mbps pipe will completely overwhelm everything.

And then there is the issue that dealing with this needs prior planning. It's no good phoning up your ISP and asking them to do it "on the fly" as they won't have anything in place. This is where the DDoD mitigation services come in - what to do when it happens is pre-arranged, so you call them up, they trigger the required changes (typically changing the advertised route), and filter the traffic from their own network before passing it (the filtered :good: traffic) on to you.

Re: Charging

> ... your 2 amp charger is delivering 4 times the energy of the 500 milliamp charger ...

Have a downvote for not understanding how these things work.

The 2A supply will only supply more current IF the device demands it. It's a complete and utter myth that swapping out (say) a 1 A supply for a (say) 2A one will somehow "push" more current into the device. The number of times I've had to correct people because they believe that a (say) 85W supply will damage a laptop that originally only came with a (say) 65W supply ... well I;ve lost count.

So if the 2A supply doesn't signal in a way the phone understands* that it can do 2A then the phone will not take 2A - it will limit it's draw to just 0.5A. Now extra current, no extra power, no problem. If the supply correctly signals that it's a higher power device, then the phone may draw more power for fast charging - but it will have been designed to do that and it should be safe.

But if a device isn't designed to use more power, then plugging it into a higher current capable supply will not make it draw any more current.

* There are now standards for signalling, but in the early days, each manufacturer had standards of their own. So (for example) a supply that would fast charge an iPhone wouldn't necessarily fast charge a Samsung, and vice-versa.

Re: How much is a IPv4 address worth

I would expect the standard allocation to be a static /64; is there reason to suspect something else?

Err, how about because most large ISPs are run by complete sh**s who will do anything to make it easier to squeeze more money out of "power" users. Given that some ISPs will not give a static IPv4 address, and others will only do it if you pay extra for a business connection AND also charge you extra rent for the address - I see no reason they won't do exactly the same with IPv6.

These are the ISPs in the race to the bottom of the murky pond where life is a muddy mess of squeezed margins and gullible punters who can't see past the headline price. Having outcompeted themselves on how cheap they can sell the service, they then need every trick they can muster to make a profit.

Needless to say, I'm with an ISP that costs more, but doesn't do this sort of stuff.

Re: The problem

> If this blatant absurdity goes through

Which based on past performance it will ...

And then Apple will have another stick with which to beat smaller players. Once they have a patent, they can go round suing pretty well anyone making OR USING paper bags - basically it's the joker in the litigation pack and pretty well gives them ammunition against just about everyone.

So when some small retailer falls out with Apple in some way, Apple can sue them for patent infringement - and it's then up to the defendant to prove the patent false (or that their own bags don't infringe). Given I've read that such action can cost in the order of $250,000 or more, how many small retailers could defend that ? So then it becomes a "how little will Apple settle for" game and there's a nice little extortion racket - with a "and as well as the damages, you agree to do/not do <whatever it was Apple doesn't like>" tacked on, making it another means for the big bully (Apple) to stop smaller people doing things Apple don't like

Yes, it will get invalidated when Apple take on someone able to mount a defence, but that can take years.

Re: Sooo ....

You missed the bit about ICANN showing all the signs of a body who's primary function is to ensure that the pork trough is as big and full as possible regardless of anything else.

Now I think we can look forward to "revised" costs for TLDs just about anything they have a role in, and that can only mean one thing as the effects trickle down - higher costs for us to fill up their pork trough.