Posts by malfeasance

Re: A scandal of epic proportions

What's galling is that Computer Weekly (? I forget the name of the trade paper) & Private Eye both shone a light on the scandal repeatedly and it was brushed under the rug. Also, didn't Panorama also have an investigative show on it.

This is a punching problem; where the families of all those affected get to punch fujitsu & vennells repeatedly until we have a different type of problem. (Violence is not the answer of course, but money and exoneration isn't going to give any _real closure_ to some of those affected).

So, I made the decision to move my dev environment 'into' WSL2 from NTFS (recently) because python, node, ruby are also things I'm working with as well as rust + java.

IntelliJ on Windows, for all its support for WSL2, didn't play nicely on my machine and essentially all gradle projects that are now in WSL2 break with a "can't find a main-class org.jetbrains.something.or.other.gradle.tooling.Proxy".. It was just meant to work according their docs; searching for the missing main class didn't give me much help either since I'm running the latest IntelliJ community edition.

I have moved to vscode (java+rust); running vscode with the WSL remote server or whatever is has been frictionless, and the java & rust projects 'just work' in the manner that I expect them to.

'yeah but, you could run WSL2 in Wayland mode, and install IntelliJ like that', or 'mutter some arcane invocation that magically has some kind of setting that makes it work'; I'm just fighting against the tooling by then, which stops me from getting actual shit done.

Re: Err

Sounds like you're reading into it as though Mr T is (already) having an apoplectic fit. That's not how I'm reading it, so we can agree to disagree about that.

He's given us fairly clear direction as to his expectations about the merge window; do it early so he has time to review code and understand the wider ramifications of it (if any). If we choose to still give him our merge requests in the way he finds disappointing (merge-window-close - 1) then we won't the best experience and shouldn't be surprised if things don't go our way.

Anyone vaguely related to a release process will have seen the pain of seeing someone commit a change on the release branch late in the day before go-live. It generally doesn't end well.

Re: Comfort?

Almost certainly alluding to the fact that their experience doesn't match his, and because of reasons, he must be wrong, because we are a homogenous lived experience now, big tech tells us so.

(I've already demonstrated that by referring to Charlie as a he, when I don't know them)

Headphone style is a weird one, the people that swear by over-ear headphones probably don't suffer from (or at least aren't bothered by it).

- Having to wear glasses like Charlie (and myself).

- Getting really hot ears from the over-earness of the headphones. Personally, I haven't found a pair of over-ear headphones that I can wear for longer than 30 minutes.

- On ears are better, but still not great

I get on with in-ears quite well, and from a "mobile headset" point of view I'm a big fan of the Bose QC earbuds, and the Sony WF-1000MX3 (or MX4) in-ears. 2 pairs because if you go on a flight longer than 6 hours...

However, from a usability point of view, earbuds are pointless in an office environment because the pickup from the mic broadcasts everything (by office environment, my home office is 2 person, and when you're both on calls it doesn't end well).

If it's purely for remote working then I would go for the aeroshokz/aftershokz opencomm, bone conductors with mic.

It's in the same price range as these, I can wear them all day, I can hear the doorbell when the postman comes, and for me, the mic is on the correct side of my face (I sit to the right, which means the mic hanging off the left ear makes a difference in sound pickup)

Because ultimately you are paying for skills. The company is effectively leasing the knowledge that you have in order to do the job that they need doing.

If you want someone for 30k from Elbonia, by all means go and get them; but what's the opportunity cose to the business by doing that.

I don't believe that programmers are fungible, that's a whole load of nuance that would need quantifying before you can go down the "programmers are interchangeable cogs in a production line" (which is the ultimate expression of what you've said).

It's our own fault that we liken development/programming as though it were a production line; that's never truly been the case.

Re: Whose?

To quote some analysis about this CVE (veracode) you need to be using

Spring Web MVC or Spring Webflux projects AND

Spring Framework version 5.3.x prior to 5.3.18, and all versions prior to 5.2.20 AND

Java 1.9 or above AND

Deployed on Tomcat App Server as a WAR AND

Spring Web MVC with parameter binding (enabled by default) AND

Don’t have an allowlist of HTTP fields registered to be allowed or explicitly disallow fields which could cause malicious intent.

The interaction between all those components are unlikely to be covered by a unit test, so it's somewhat disingenuous to mention it. It would have to be an integration test that needed to be done by the Spring team using things that are outside of their control.

I would note here that if you're a vanilla spring-boot user then you're not vulnerable to this partcular RCE.

Re: JNDI

There's always a problem with being able to lookup serialized binary objects across a network. Yes, JNDI RCE is a problem, because it's little bobby tables, so the application needs to do verification of user input just like always.

8u191+ disabled by default the ability to inject classes (e.g. I don't have the class this object refers to, could you give it to me?). However, it is still possible to achieve the same thing if you have a class that's vulnerable already on the classpath.

https://www.veracode.com/blog/research/exploiting-jndi-injections-java

I mean the obvious example is going to be a lookup via LDAP for my identity, if I were to change my name to "rmi://example.com:10977/dodgy" and the login page ended up calling InitialContext.lookup with my dodgy name (and the server was allowed to open up external connections...)

Re: JNDI concerns

And yet they have done it with extreme prejudice haven't they, they've taken option-b and rightly so, but the decision to enable it by default is basically down to the Apache committer.

If you look at the log4j jira and search for the original ticket (https://issues.apache.org/jira/browse/LOG4J2-313); the use-case seems reasonable on the face of it. With hindsight "we can all say, there's no way that's secure, don't be soft!". But, think about the sea change in security perspective in the intervening 8 years. How many of us employed by corporates have now been on mandatory secure-by-design training. If you've been with the same company for a while, when did the powers-that-be mandate it? (I suspect it was post equifax...)

Developers are ultimately lazy and haven't been forced to have the discipline to consider all the side-effects of their changes on the entire system.

To take a case in point, the javax package move to jakarta is one that irks me, because they've broken backwards compatibility in a completely nonsensical way. jakarta.mail.jar contains some "com.sun.mail" packages in situ, but have renamed all the javax.mail -> jakarta.mail. There's a circular dependency in one of the classes (a com.sun.mail class now takes a jakarta.mail class; this conflicts the same class that might have been provided by javamail-api.jar, because method signatures right)

They committed the change, the unit tests passed, so they released jakarta.mail-2.0.0, because the unit tests passed 100% code coverage. It's all good.

There are a lot of things out that that still depend on javax.mail.*, but this means that you can't include javamail-api-1.6.2.jar and jakarta.mail-2.0.1.jar in your classpath. Backwards compatibility is now broken irretrievably; there will be projects that pull an open source library that is orphaned (but serves its purpose) that depends on javax.mail (because javax.mail.mime isn't awful) and they can't upgrade to jakarta.mail to take advantage of security updates because they need working software.

Depends on the documentation

There might be perfectly reasonable design decisions as to why Microsoft did that. Equally there might not be (Microsoft aren't going to tell us either way are they).

If you have documented prominently that "anyone can gain access to AD as a domain admin by doing this. If you want to stop that then do this this, and this. This has the known side effect of causing this behaviour..."

Isn't that documented well enough (if prominent enough) such that the customer can make a judgement call about it? Everything's a trade-off isn't it, and I presume that MalwareBytes made that trade-off...

Re: His classes are working

I don't think it's the classes.

Linus historically (been | appeared) the type of person that can admit when he's wrong. It's just that he's not often wrong in the things that he's the subject matter expert in (you know, like the kernel). I think there's a phrase "Strong opinions, weakly held" that could be used to describe him.

Re: No need for Slack

The one thing that slack had over ms teams for a while, was the fact I could "join different organisations" slack workspaces in the same UI instance;

That wasn't great in teams, possibly still isn't, but I haven't needed to use it in anger recently.

Anecdotal evidence shows me that slack really suffers in the context of "it doesn't behave well with other applications; my other half is always complaining that slack sucks her CPU (5-10 different workspaces) and bandwidth.

Re: More than four concurrent videos

I regard Teams as primarily a business tool; my line in the sand would be: If you have > 4 people in a meeting, it's not a meeting anymore; it's just a hot-air balloon being inflated.

Sure; I get that stuff is nuanced, but for most business use cases, Teams will work fine (as will any of the other tools).

I've worked remotely for nigh on 20 years, and after the novelty of it all; it's all about asynchronous communications; it's all about being precise in your communications (bearing in mind all the the filler words that english has and how useless they are, relatively speaking - look I've used a bunch in typing this comment).

It's nice to have a choice isn't it?

so-called engineers that don't understand the tools they use

You're bang on, seen that so many times; which is confusing since you can easily have an excludes file in your ~/.gitignore a-la

[core]

excludesfile = /home/user/globals/gitignore

And then in that gitignore file have a "__localonly" line; this means, doesn't matter what project I'm working on, I create a __localonly directory and stuff all the hard-coded nonsense in there.

Never gets checked in, never gets pushed, doesn't ruin anyone elses pristine filesystem...

Re: Canada?

Yes, Ice Wine. Might not be your bag if you don't like dessert wine, but it's a wine; some think it's fine.

Re: Eh?

Sure, but the software provided by one of the data integration vendors could work in both an ETL way, and an app integration way. You're then using the same piece of software to achieve 2 very different end-goals with presumably some level of improved supportability/providing more business value. If that's good enough; then excellent. If not, then that's fine too.

Saying that ETL/App integration are instrisnically a different class of problem to each other doesn't seem right, but then I'm just a programmer.

@Ralph76 - Surface Pro is a domain aware tablet...

Erm, it's called a surface pro; it is exactly what you asked for, a domain aware tablet with a keyboard... It's just very pricey and thus not an option for the state system sadly.

The school (It's an fee-paying school, goes from 5-18; Surface Pro use starts at Yr 5 (~9/10) my daughter goes to has mandated surface pros; along with the whole Office 365 buy-in. Having seen how they're using OneNote and all of that to distribute homework it is a big step forward in terms of managing that aspect of schoolwork.

They use the stylus to annotate the notes / material, and to do the homework; homework is auto-synced, and just "done". The STEM subjects all use the technology quite well I think. The artsy subjects not so much but submission for homework can always be electronic at least.

Installed Python for CS - I did ask the CS teacher if we could just use the ubuntu WSL but she specifically wanted Python 3.6 (I know I can get it on the ubuntu WSL, but there is probably no point being that annoying for the sake of it).

I have issues with how the IT guys have set it up (badly); but overall the decision on surfaces is a darn sight better than the previously announced (but never followed through) mandate to use ipads. The expected lifetime of the surface pro is ~4 yrs.

Re: Firefox unloved by mozilla

@Dan55,

Printing - when everything else can do it, and FF can't; rightly or wrongly; I'm going to blame FF. Life is too short to try and investigate that kind of misbehaviour, I'll just use another browser, login to a.n. site, and print my order conf.

Proxy networking : If I lock things down so that nothing is allowed to make 80/443 connections bar the proxy, FF *cannot browse the web*. Edge can, as can Chrome (as this also has use system-proxy settings checked).

I have to physically check the "auto-detect proxy settings for this network"; at which point it goes through the wpad resolution chain - I can see this from the DNS logs...

The configuration of my dhcpd instance appears correct; after all everything else works correctly; it's just FF.

Re: Ummmm...

The Mrs suggests go cardless or stripe as your payment processor. Anything is better than the foetid pile of ordure that is PayPal

Re: The Dance while you wait to get permission to remove a drive/device

Hey,

I suspect you have some kind of indexing / search turned on for your USB drives; so windows probably isn't wrong, just you have no idea what is using the drive.

My boss gets this whenever he doesn't turn off spotlight (mac) for USB keys; he's made a few of mine "not well" even though he says he always clicks the eject button.

Re: Connection nagging

Happens all the time. I have "mobile data" turned off for all non-essential apps on my iPhone (it's enabled for the web-browser, mail and probably the Maps app).

So, if I'm not connected to WIFI then often this kind of thing happens :

1) Start the music app (the built in apple one; nothing fancy).

2) A big notification that you have to OK / CANCEL : Mobile data is not enabled for this application (you can't use the app until you dismiss the notification)

3) Spot of name calling as to why a fucking music app needs access to the intertubes (yes I know it's to encourage me to buy tunes from the store; who in their right mind would do that over 3G ???).

Re: Why Why I always asked myself for Surface

I have a surface 3 pro; and while I don't love it, it is a tool I use most days (I'm a dev by trade). I probably could have bought a surface 3 given my use-case.

1) It's lighter than my laptop (so going to visit customers is generally easier).

2) It is a duplicate of my laptop when it comes to source code / git / mercurial etc. My whole build environment is available.

3) It works adequately on my lap (in front of the TV style; if I need to do work, then yes, I'm the type that goes and sits at a desk). The type cover is pretty good to type on.

4) Wireless Display Adapter (though this isn't necessarily limited to having to use a Surface) for presentations...

5) The pen is excellent for taking notes, and (if you have trained it) then converting handwriting into text.

6) "Signing PDF NDA" without having to print the damn thing (yeah, this is a marginal use case).

7) While not exactly cheap; it's comparable to the price of a decent ultrabook (I spec'd out a 8gb/256SSD at the time)

The furore over the Win7 interface vs Windows 8 does bemuse me; The difference between the interface has never bothered me; I find the start menu navigate to "programs" the slowest way to start a program; I've used launchy since ~2011 so I just use that, I haven't touched a start button since then. Metro has it's uses as well; though I tend to end up on the desktop because cygwin / putty.

@Phildude Re: So just switch to a strong password that's just numbers?

iOS devices only mentioned. But if we were to consider Android; if I enable "a passphrase" and I only use a numeric password; what does it present you with. If it's a full keyboard, then in this regard, iOS has it "correct for my usage model" (got fat fingers see, and a numeric keypad is better for that...).

Also, the article mentions that the brute force flaw bypasses the rate limiting and wipe device settings; I have my iPhone set to "wipe" after 10 attempts... By the time I got to the 7th or 8th failed attempt I was waiting ~2hrs for the next attempt (I tested this myself); so the back off delay you mention is already there and has been bypassed through use of this flaw.

Re: I thought this was going to come with

Also kickstarter; with a t-shirt. It is self assembly, in the sense that my 6 year old snapped together all the parts; lego style.

When we opened the box, I had to tell her how to hold the mobo, and how to plug in all the bits (picture instructions in the book). It was all her though.

The OS that's shipped auto-boots into a desktop that is geared towards the young'uns, you get pong (http://pong.kano.me), snake, a minecraft learning game (this appeared to cause a reboot on our PI, suspect overheating), and a couple of other bits and bobs that we haven't got round to.

It's a bit overwhelming plugged into our living room TV, so I may have to plug it into one of the spare monitors (this is just a distance from screen/size of text thing).

Re: Std Dirty tricks by tory boys of the westminster clan

Right... If in doubt suspect a conspiracy. Isn't it always the case that for these new-fangled-debate things each of the broadcasters gets a bite of the cherry? Last night was ITV (STV as the franchise owner), in a couple of weeks BBC will have a go.

Given that the current bunch of numpties can't do anything very well; a conspiracy wouldn't be my first choice.

If you're a so-called cybernat, then do kindly go away.