nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

* Posts by Ken Hagan

6414 posts • joined 14 Jun 2007

Three more data-leaking security holes found in Intel chips as designers swap security for speed

Ken Hagan
Gold badge

Re: Middle ground

"Or guarantees that only VMs for the same customer of a given security level are running on the same machine. "

That eliminates a fair percentage of the economic benefits of moving stuff to a cloud you don't actually own yourself.

With Spectre and Meltdown violating security in one direction and this SGX bug violating it in the other direction, the case for migrating your shit back to home turf is probably made. (In effect, yes it will cost a little more, but you'll be able to run all your processors at full speed rather than hobbled by mitigations, and so the equivalent hardware will cost you a lot less than it would cost (say) Amazon.)

1
0

Foreshadow and Intel SGX software attestation: 'The whole trust model collapses'

Ken Hagan
Gold badge

Re: Intel only?

"And why the sly reference to Israel?"

Because Intel have a major presence there?

(You don't have to give the Jeremy Corbyn treatment to everyone, you know.)

3
0

Former NSA top hacker names the filthy four of nation-state hacking

Ken Hagan
Gold badge

Re: Beyond Parody

I can think of at least two nations you might be referring to, but I can't prove either one. You'll have to be clearer. :)

3
0
Ken Hagan
Gold badge

Re: Rofl

If Russian *haven't* tried to influence the US and UK votes then their spooks just aren't doing their job properly. Likewise, if the NSA and CIA with their eye-wateringly large budgets are not the world #1 miscreants then *they* aren't doing their job properly.

You cannot stop your enemies trying, so your responsibility is to either make them your friends (and I don't see much evidence of that on any side) or defend your institutions against hackery.

11
0

Criminal justice software code could send you to jail and there’s nothing you can do about it

Ken Hagan
Gold badge

At the risk of Godwin-ising the discussion on the first page (*)

Police can say 'It's not my decision, the computer told me to do it,'

I believe the actual phrasing you are looking for is "I was only obeying orders." and not only has this one been (quite famously, IMHO) shot down in court, it is plain embarrassing when the orders you are following have come from a machine rather than a superior officer.

(* In fairness, it's a fairly high risk when the topic is "being a racist bastard and trying to pin the responsibility on someone else".)

7
0

Wasted worker wasps wanna know – oi! – who are you looking at?

Ken Hagan
Gold badge

Re: Wasps

"Take off and nuke the site from orbit, it's the only way to be sure"

Yes, but the neighbours do whinge so when we do that...

5
0

US voting systems: Full of holes, loaded with pop music, and 'hacked' by an 11-year-old

Ken Hagan
Gold badge

Re: US Elections

So it's a toss up between the Russians and the Chinese, then?

11
0

The Register's 2018 homepage redesign: What's going on now?

Ken Hagan
Gold badge

Confused

Didn't like it. Too many changes of layout as you go down the page. It looks chaotic and disrupted. If anything, I'd prefer fewer images on headlines, since the images rarely add anything to the stories, so they're just taking up space.

In passing, I didn't know about the weekly summary page, but now that I've tracked it down I won't be using that either. Again, too many images and too much text-per-headline means that it isn't a space-efficient "index" in my book.

But maybe I'm just odd.

3
0

Devon County Council techies: WE KNOW IT WASN'T YOU!

Ken Hagan
Gold badge

Re: dispatch or despatch

I'm curious now. I've lived in the UK for half a century and I'm pretty sure that's the first time I've ever seen any suggestion that "despatch" isn't the work of an illiterate. However, some googling would suggest that a number of web-sites are prepared to say that "despatch" is how my fellow countrymen have been spelling it all of these years. I suspect that most of these sites are US-based and prepared to accept that the UK spelling is different without bothering to research the matter, but I can't be certain of that.

So how many people reading this would write "despatch", where did they learn their English spelling, and when did they learn it?

2
0

The off-brand 'military-grade' x86 processors, in the library, with the root-granting 'backdoor'

Ken Hagan
Gold badge

Re: Yet Another case of "Security by obscurity"

"That doesn't work."

Well, security by obscurity hardly ever works if you document it, as noted in the Fine Article.

18
0

Imagine Python fan fiction written in C, read with a Lisp: Code lingo Nim gets cash injection

Ken Hagan
Gold badge

Re: Interesting but ugly

"Everybody sane tries to spell identifiers with consistent capitalization anyway"

Consistent with what, exactly. Certainly not "everybody else".

UNIX consistently spells usernames all-lower-case, despite the fact that US culture (where it grew up) does not spell people's names that way. Some email systems are then case-sensitive and others are case-insensitive, and where an email address is used as a user handle there isn't even an RFC to point to for the right answer. The result is that you just have to know whether the system you are talking to wants:

your.name@example.com

Your.Name@Example.com

Your.Name@example.com

or perhaps something else entirely.

You guys need to get out and talk to real users. A computer that rejects input because you didn't exactly replicate the case that it had in its little head is a "*&%ing stoopid computer written by a £$%-ing nerd who throws a hissy fit if he has a prime number of baked beans on his toast".

And as with addresses, so with files and so with variable names, because the underlying reference model for all of these is "names as they are written in normal language".

0
0
Ken Hagan
Gold badge

Re: Interesting but ugly

"Case insensitivity is widely considered to be more user friendly. This holds for file systems, ..."

This is not bollox. Most people find case-sensitivity to be perverse and annoying. Spoken language is not case-sensitive. Most human writing systems don't even have the notion of case, so the concept is already alien to the majority of your user-base.

I suspect that the real issue here is that case-sensitivity is associated with UNIX and is therefore pure and good, whereas case-insensitivity is associated with Windows and must therefore be evil ... somehow.

0
5
Ken Hagan
Gold badge

Re: Interesting but ugly

"Saying that case insensitivity is good because Pascal, Ada, FORTRAN and Basic have is, well, a bit of a weak argument."

Editing "Lisp" and "Eiffel" out of the list is a bit of a weak counter-argument. It looks like you feel the argument would have been stronger with them in, so you took them out in order to mis-represent the other guy's case.

0
0
Ken Hagan
Gold badge

Re: Interesting but ugly

"the identifiers FOO_BAR and fooBar are equivalent"

Does this mean the language is screen-reader-friendly?

0
0

How evil JavaScript helps attackers tag possible victims – and gives away their intent

Ken Hagan
Gold badge

Re: What if you don't allow JS at all?

"yotta yotta"

Is that like yada yada but 10^24 times bigger?

9
0

Top Euro court: No, you can't steal images from other websites (too bad a school had to be sued to confirm this little fact)

Ken Hagan
Gold badge

Re: New internet standard...

"Unfortunately a lot of websites routinely strip that information and for average joe, that information is usually not readily available."

Given that we're only talking about a handful of bytes here, I can't see any legitimate reason for stripping EXIF copyright data. It is an evil practice. It makes it harder to trace the copyright owner, which makes it more likely that the owner won't be traced, which is just anti-social. To systematically cover your tracks in this way, for all images on your web-site, makes it look like you have something to hide. Perhaps one or two of them shouldn't be there, but which ones?

Of course, for *other* bits of EXIF data the opposite reasoning applies: https://www.kaspersky.com/blog/exif-privacy/13356/. Fortunately, it wouldn't be hard to write a program that stripped out privacy-related data whilst preserving copyright-related data. Unfortunately, you then still have to persuade people to use it.

5
1

Sur-Pies! Google shocks world with sudden Android 9 Pixel push

Ken Hagan
Gold badge

Re: The REAL challenge

Quiche?

1
0

The age of hard drives is over as Samsung cranks out consumer QLC SSDs

Ken Hagan
Gold badge

"and 100mbit fibre to the home is a reality"

In some areas.

And specifically to the home.

Meanwhile, SATA 3.2 is also a reality, works both ways, is 160 times faster, and is on an uncontended link. This consumer will be keeping his stuff in the PC as a matter of course for the time being, thanks.

7
0
Ken Hagan
Gold badge
Trollface

"Multics lives on in Windows and Systemd."

I see what you did there.

6
0
Ken Hagan
Gold badge

Re: Ah, but

Hahaha, my second was 40MB but I didn't discover the hidden 8MB until I'd owned it for a few months.

3
0

Dear alt-right morons and other miscreants: Disrupt DEF CON, and the goons will 'ave you

Ken Hagan
Gold badge

Night-club bouncers are all very well, but you need someone with a little judgement reviewing their decisions. (https://www.independent.co.uk/news/uk/home-news/bouncer-woman-breasts-cornwall-newquay-sailors-arms-teenager-club-a8473331.html)

3
0
Ken Hagan
Gold badge

Re: "Alt-right moron"

Once you are "alt" (ie, extremist), there's no distinction between right and left. You are merely a twat trying to impose your limited mental grasp on reality upon a majority who exceed your puny mind in every respect.

24
3
Ken Hagan
Gold badge

Re: Private event on private property

Probably, and that's probably what the lawyers who reviewed the code of conduct were thinking when they signed them off. The clever bit is for the conference organisers to realise that they have this power and that being too specific in their code of conduct probably only gives the miscreants wiggle room.

10
0

Grad sends warning to manager: Be nice to our kit and it'll be nice to you

Ken Hagan
Gold badge

A "brought-in Quality Manager" you say.

That's an interesting idea.

What do you suppose their motivation is, given that they have no financial interest in the company and the companies that they prey upon are self-selecting for "too fucking tight to hire permanent staff and too fucking dysfunctional to have any inherent quality"?

13
0

Well, this makes scents: Kotlin code quality smells better than Java

Ken Hagan
Gold badge

It is also quite possible that the new Kotlin apps are, for those writing them, the second time they've written an app like that (because this is the Kotlin re-write) or that those writing them are just better developers (because they've had the time and inclination to learn another language).

Similar remarks apply to (nearly?) every comparative study of the effects of language choice on code quality. It is actually extremely difficult to design such a study and remove the effects of people, experience generally, experience with this particular type of problem, and difficulty of the problems under study. I've never seen it done and I'm not sure it can be.

13
0

Boffins build a NAZI AI – wait, let's check that... OK, it's a grammar nazi

Ken Hagan
Gold badge

Possibly because they are trying to imitate lawyers, who appear to believe that punctuation is subjective and therefore has no place in legal text.

4
0

Trump 'not normal' FCC commish reveals amid Sinclair-Tribune mega-media-merger meltdown

Ken Hagan
Gold badge

Re: The Fake President is the epitome of Greed

"After all, Hitler WAS elected..."

But not by a majority.

And he would have fared no better than his immediate predecessors in trying to maintain a government had he not done something that they didn't --> mount a military coup against the country he was supposed to be running.

5
0

Microsoft devises new way of making you feel old: Windows NT is 25

Ken Hagan
Gold badge

Re: "It took Redmond until 2000 to create a usable server edition."

"How do you make a Windows NT server 4x quicker? Stick Netware on it."

But in doing so you make it 4x more expensive. Not that NT was cheap, but Netware was pretty pricey and the difference was enough to pay for a substantial hardware upgrade.

0
0

The internet's very own Muslim ban continues: DNS overlord insists it can freeze dot-words

Ken Hagan
Gold badge

Re: A few issues

"Either follow your country's laws and risk your status as a registrar or follow ICANN's regulations and risk getting sanctioned by your country's legal system."

Well I'm not sure I ever followed the argument here. It seemed perfectly plain to me that the ccTLD belongs to the local government, not ICANN, and that if ICANN wanted *any* influence over how it was run then they would have to have a legal presence in the country concerned, at which point they are subject to local law.

Obviously it is open to ICANN to simply punt and give up on a ccTLD. I think you'd have to say they've done that in a fair number of cases. (Can you really see ICANN dictating policy to China, Iran, Russia or North Korea?) The much-feared balkanisation of the internet has already happened and the sky remains defiantly above our heads because ICANN don't control the technical standards and those are what matters.

0
0
Ken Hagan
Gold badge

Re: "broke"?

"Broke is used by those who are truly woke"

I think that was the OP's point.

1
1
Ken Hagan
Gold badge

Re: Playing with fire

"since they'd all still have to point to ICANN roots for .com, .net, .org and country specific TLDs they'd be the lowest common denominator so that's all anyone would use. Which defeats the purpose of this hypothetical engineer led revolt against ICANN..."

On the contrary, I rather took this to be the point of the exercise. But on the other hand, DNS is a hierarchical system, so these hypothetical engineers can already configure their own systems to drop all the gTLDs on the floor.

3
0
Ken Hagan
Gold badge

Re: Too late

"I can see that .catholic is a strange one because that religion is centered around what the Vatican (which is a separate country in and of itself) says and does. "

Nit-pick: what we in the West usually refer to as the orthodox church actually lays claim to being the catholic church. The word just means universal and consequently both sides of the Great Schism believe they are the *legitimate* claimants. This is also why the term /Roman/ Catholic exists.

18
1

Think tank calls for post-Brexit national ID cards: The kids have phones so what's the difference?

Ken Hagan
Gold badge

Re: Windrush

Not strictly true, since a properly audited and distributed system would make it immediately clear to everyone that a particular named person *had* deleted particular named people from the database.

But I up-voted you anyway because there's no fucking chance of gov.uk doing the job properly.

6
1
Ken Hagan
Gold badge

"If you can't trust the government, you frankly can't trust ANYTHING and should be seriously considering renunciation..."

If you can't trust the government, you should adopt a constitution where they don't have all the power. Pretty much all of the world's long-term democracies figured that one out years ago (and in nearly every case it is the only reason they are still democracies).

5
0

Windows 10 Insiders see double as new builds hit the deck – with promises to end Update Rage

Ken Hagan
Gold badge

Re: Whats wrong with

Let's say I'm going away on holiday. When I come back and turn that computer on, I don't want the very first thing it does to be "notice the date and suck several gigs of shit down my wire whilst berating me for leaving the upgrade so long".

7 days is not enough. 700 days is not necessarily enough. If you feel that you really have to carry on nagging, then do so, but don't actually wrest control of *my* property from me.

12
1
Ken Hagan
Gold badge

Re: windows update

"Don't see why I should have to pay for this, but ..."

You shouldn't. If Windows was completely free then you'd have no claim, but it isn't. You paid a (small) fee to have a product on your PC and apparently that product is not "fit for purpose". In the case of a PC operating system, "fit for purpose" means it is safe to leave it connected to the internet without it automatically getting fucked over by the vendor who is offering a range of licence upgrades protection schemes whereby you pay them money and they stop doing Bad Things to your computer.

12
0
Ken Hagan
Gold badge

Re: Providing a source of income for Dolphin Screenreaders

You should seriously consider suing Microsoft for the costs. It is *your* computer but it is *their* decision to make upgrades compulsory and *their* choice of timing and *their* updates that turn your working system into a not-working system. Either they hand over the tools to block these updates or they pay for the damages. Sure, you could prevent the problem yourself by pulling out the network cable, but then it isn't the useful PC that you paid for.

It is fucking ridiculous negligent that MS apparently have the right to bork *your* computer on a six-monthly schedule, do not apparently feel the need to provide an off-switch and still get off scot free by saying "sorry, but computers, you know .. hard".

16
1

Hey you smart, well-paid devs. Stop clicking on those phishing links and bringing in malware muck on your shoes

Ken Hagan
Gold badge

Re: Not a problem for Node.js

"Not sure if your being sarcastic or not..."

I'm not. I take your point about sandboxes being permeable, but my point is that if your sandbox is permeable then it was game over for you as soon as you started surfing the web. Hardly anyone runs trusted code in their browser. It's all "whatever the web-site feeds me". There is nothing in today's story that makes this any more scary than it was yesterday. I think it is unfair to pick on the Node.js crowd.

1
2
Ken Hagan
Gold badge

Not a problem for Node.js

"That sentiment poses a particular problem for the Node.js community, where developers often rely on dozens or hundreds of code libraries (each of which may incorporate other libraries) written by someone else."

You mean ... developers often rely on links to dozens or hundreds of code libraries that can be modified after the fact by someone else, so even if they weren't a problem when the software was written they could become one if an attacker so chooses.

But this isn't actually a problem, because from the point of view of the end-user who runs the code, all JavaScript is untrusted code and therefore runs in a sandbox as a matter of course. (Well, OK, not quite all if you are the kind of person who has locally maintained apps written in JS. But I think that makes you rather unusual.)

2
3

HPE supercomputer is still crunching numbers in space after 340 days

Ken Hagan
Gold badge

Re: But they are on the ISS, not on the other side of the magnetosphere

Indeed, the ISS is so "rad soft" that even people can survive there for a year.

2
0

Spectre/Meltdown fixes in HPC: Want the bad news or the bad news? It's slower, say boffins

Ken Hagan
Gold badge

The good news...

...from Intel's marketing department will be that their next chips are several times faster than their immediate predecessors on most workloads. In fact, they've never seen such a performance leap in a single generation and you simply must rush out and give them all your money.

8
0

Hooray: Google App Engine finally ready for Python 3 (and PHP 7.2)

Ken Hagan
Gold badge

Re: Being a python developer...

"I mean who in their right minds, in the 21st century, comes up with a programming language that is whitespace / indentation sensitive."

Who in their right minds has ever intentionally written code that doesn't get the indentation right?

How did they get this through lint? (First seen in in the 1970s, I think. Something similar presumably exists for newer languages.)

Why are they still a programmer? (The opprobrium of colleagues should make them quit if nothing else.)

Which of their (now former) colleagues isn't using an editor that can sort out the indentation of an entire file with a single command?

1
0

Fork it! Google fined €4.34bn over Android, has 90 days to behave

Ken Hagan
Gold badge

Re: Choice on Apple?

"So google could just say they will stop updating android, lock down the code, encrypt it and no longer issue any new updates to non google made phones."

They could do that with the Play runtime, but everything below that (Android and Linux) is FOSS so they can no more lock it down than I can.

13
0

Official probe into HPE’s Oz 3Par crashes would create 'further negative publicity' if revealed

Ken Hagan
Gold badge

Re: rumours

"support turned off the error reporting"

If true, then I have to ask "Why is it possible to turn off the error reporting?". Ignore it, by all means, but when the shit finally filters through those fan blades, the error reporting is what distinguish a problem caused by the end-user from a problem with the kit. So why would the vendor *let* the end-user remove such evidence from any future investigation?

1
0

Official: The shape of the smartphone is changing forever

Ken Hagan
Gold badge

"Probably better to invest in an external "power bank" if you find the power running low"

If I was happy to carry around an external battery, permantently plugged into the phone because the built-in one has worn out and I'm too cheap to buy a new device every other year ... then I'd prefer no battery at all inside the device.

5
0

LG G7 ThinkQ: Ropey AI, but a feast for sore eyes and ears

Ken Hagan
Gold badge

Re: May we please stop calling them phones?

How about "mobile"? Or is that already taken for something?

0
0

‘Elders of the Internet’ apologise for social media, recommend Trump filters to fix it

Ken Hagan
Gold badge

Re: These are not the real Elders of the Internet...

Well, obviously. The real Elders are reached via example.com (officially reserved, but we know different, eh?), but only if you connect using IPv6 and have the IPsec configuration right.

4
0
Ken Hagan
Gold badge

Re: "USENET was a pretty clear warning."

"Social media is private space, and its owners refuse to take responsibility for policing it."

There's a story somewhere today that Farcebook "moderators" are deliberately keeping offensive material online because they believe it would hurt their bottom line to censor it. If that is the case, they are making editorial decisions, which makes them liable as publishers, and have admitted a financial incentive to publish material including hate speech and physical abuse of children.

I'm pretty sure *I'd* be in deep shit if I published such material on my own web-site and I'm pretty sure that "but this is how I make my money" wouldn't be accepted as an adequate defence.

4
1
Ken Hagan
Gold badge

Re: There's something wrong with social media

"He didn't state it as a defence."

No, his actual defence was to bet a signed dollar that it was true.

If I were the victim, I'd seriously consider taking up the bet and then going to court to obtain the dollar (plus costs, obvs). It might be worth a fair bit if Mr Musk fails to prove his case.

0
0

The Register - Independent news and views for the tech community. Part of Situation Publishing