Posts by Ken Hagan 8168 publicly visible posts • joined 14 Jun 2007
"I understand this is annoying, ..."
... because there is a detectable error in the unit file and yet the system does not tell me about it.
"but still: The username is clearly not valid."
...so systemd feels free to make shit up and do that instead.
Sorry Lennart. This is not a security bug but it is definitely a bug, and a pretty embarrassing one at that.
"even Redmond creations like the Resilient File System (ReFS) are blocked"
So yet another case of their right hand not knowing what their left hand is doing.
MS have looked for many years like they no longer have functioning management. Individual projects may roll out OK, but the bigger picture is lost. Two different control panels ever since Win8? Check. But that was 5 years ago, so surely it has been resolved by now. Oh dear. Patchy support even amongst the built-in utilities (like the aforementioned control panel) for hi-dpi displays ever since Vista. Check. But that was 10 years ago, so surely it has been resolved by now. Oh dear.
So if the entire senior management team falls over in the forest, does anyone actually notice?
"When we first came across American stuff we were having trouble with it all until we realised they were the ones using imperial measurements"
Actually, no. The Americans went their own way before "Imperial" measurements were a thing, which is why their gallons are the wrong size. I'm not sure what the correct name is for their system -- probably "English".
If I may just butt in on your exchange with Charles 9, I think the issue is what you understand by the phrase "the hardware itself". The difficulty is in the first word: "the".
Some hardware needs to be trusted. To my knowledge, no-one has found a way of building a trusted plaform on top of an untrusted CPU. At some point, the data has to be processed. Building a transparent hardware encryption of memory is conceivable, but I don't know of anyone who has done it. I imagine the cost (in performance) is a worry and I imagine that replacing "needs to trust memory" with "needs to trust the memory controller" isn't reckoned to be worth the effort. You can, however, build a trusted data volume on an untrusted drive and this is now commonplace.
Once you get to "hardware that you plug in", like USB sticks and eSATA drives, there is an expectation that "the hardware" should not blindly trust "the peripheral" and some bus architectures have been crtiticised (well, actually, more like written off as "do not use, ever") on this site and elsewhere for allowing precisely that.
With that context, I'd say it makes a big difference whether the hardware is outside or inside "the box" and that test should be interpreted as "end-user serviceable" rather than taken literally. So the SD card counts as "outside" even if you have to take the case off and remove the battery in order to get to it. The screen, however, is definitely "inside" for a phone or laptop, but would be equally definitely "outside" if it is a desktop machine with graphics card and a cable socket.
There is no shame in building systems that trust the hardware inside the box. There is plenty of shame in trusting hardware outside the box. Vendors should probably design their boxes so that you just need fingernails to access the outside parts but you need a screw-driver (possibly one of those stupid ones that no normal person has) to access the inside parts. Then everything is clear.
I think you are missing the point that the alternative is equally disruptive. The NHS appears to be running on a vast number of XP boxes. The fact that these systems haven't already (many years ago) migrated to a more recent version of Windows surely proves that there is no upgrade path that isn't massively disruptive and painful.
"I simply can't see that happening, which is completely consistent with the development of NATO's cyber strike capabilities in the last 20 years."
One hundred years from now we'll probably be able to say for sure what those capabilities are. My guess is that we'll discover that the most powerful weaponry and most robust defences were actually in the hands of a handful of private individuals on both sides. I'll also guess that hindsight will refute the idea that cyberspace had well-defined borders, so even if NATO generals talk about defending NATO countries, the border is so flaky that for all intent and purposes the Russians are already here and we are already there. How can you talk of strike capabilities when you are already in the midst of a million-person melee?
"-Expanding NATO to include the Ukraine"
Expanding NATO to include Russia would actually be a smart move. That is, if you can get relations with Russia and mutual respect for each other's rights of self-determination to the point where it isn't just laughed out of court, you'd have done a fantastic job of guaranteeing the security of the West and East and you could start to think seriously about sorting out some of the humanitarian disaster areas elsewhere.
But I get the feeling that NATO is about job security for generals rather than actual security for countries...
The average US startup burns through its seed capital and has nothing to show for it at the end of the exercise. Being an entrepreneur is hard.
Intel and Microsoft also changed the world for good. If you are too young and uninformed to remember or know how, I suggest you do some reading up on how the world was back then. If they have both become fat and lazy and exploitative in recent years, well they are in good company: Google have gone the same way.
"One billion quid to the DUP, divided by three and a half million foreigners."
You are assuming that these foreigners will be willing to pay. Many won't, which will push up the price of the cards, so many more won't, until eventually the one who really wants to stay is stiffed for a cool DUP for the bit of card they need.
Google is welcome to pull out of Europe. They are quite a good search engine, but they make a lot more money out of Europe than Europe makes out of them. They are also free to pull out of China, where they are treated far more badly than in the EU, but funnily enough they are willing to put up with that, too.
It's only politicians who believe that their country's businesses can dis-engage with the rest of humanity and somehow come out stronger. Everyone who is actually in business thinks it is a daft idea.
An hour a day sounds like fairly light usage compared to what their parents' generation used to spend watching the goggle box, and with YouTube you are picking your own viewing rather than just swallowing whatever cack the channel controllers have decided you ought to watch.
And whilst YouTube doesn't do news, the internet does. In fact, for most of the world's population, the internet does news rather better than the local TV stations. So much better, in fact, that the local governments get upset.
"- I was not talking about Windows apps in general, but the File Explorer application that ships with Windows."
That would be the file explorer that has always supported third party extensions, written by people who read the docs and therefore know that a 260-character buffer is safe.
"- Applications written for other OSes commonly make files with paths that exceed 260 chars, why should Windows users be unable to handle those files ?"
Because Windows documentation has, for 25 years, consistently stated that a 260-character buffer is the maximum that you need to support, even if weird hacks are available to let you manipulate files created by other sub-systems.
"- I have not heard a file's path called its "Metadata" before."
Meh. It seems like a perfectly reasonable use of the term to me. It isn't part of the file's data, but is nevertheless *about* the files data. Would you have been happier if I'd followed the NTFS documentation and called it an attribute?
1. I don't think MS need undocumented features in quite the same way anymore. There is a mind-boggling array of documents concerning APIs, file formats and network protocols used by Windows and other MS software. (e.g. https://msdn.microsoft.com/en-us/library/dd208104.aspx.) The problems these days are firstly can you find the document you want and secondly does the MS implementation actually match the document? (And if it doesn't, tempting you to follow the current implementation instead, will they just fix it in the next release leaving you looking like the idiot who couldn't follow a spec?)
2. I think the drivers in this leak are the bus drivers, implementing (hopefully correctly) protocols that are fully documented and already supported by other OSes. The drivers you want are the vendor-specific layers on top and these aren't included here. In most cases, MS will not have that source.
"tell all developers that they are free to look at the sources"
I see where you are coming from but I think that would kill Windows as a platform.
Developers would look at the current source code and write apps that depend on behaviour that is currently true but which is merely an accident of the current implementation. Since Windows apps are typically sold as closed source and typically not updated for free by vendors to track OS changes, the result would be that each new version of Windows would break about half the software that you've paid for, with fixes only available if you pay the vendor again.
As readers of Raymond Chen's blog will know, this already happens to a debilitating extent. That's surprising because the only way to create such dependencies right now is to reverse engineer Windows. Apparently some programmers are smart enough to walk over assembly listings and reverse engineer how Windows currently works but not smart enough to realise how fragile this is. Worse, many of these programmers do this even when there is a documented alternative.
"Yet other systems have had it a lot longer, without said issues..."
These other systems have issues of their own. For one thing, they almost certainly don't run <insert-important-and-private-internal-app-here>. If that's not important to you, go ahead and run other systems, but you can hardly blame Microsoft for supporting their existing customers.
Actually the registry hack isn't safe. For 25 years, MS have promised developers that a 260-character buffer will be able to accomodate an arbitrary path. If you quietly raise that limit, all that happens is that end-users suddenly find that the filename they type is not the one that actually gets used by the program. At best, that's a bug. At worst, it is a security hole.
As an alternative to the registry hack, where developers have taken the trouble to support longer paths safely they can advertise that in the program's manifest. Users will then get the benefit where it is safe and be protected with legacy behaviour where it would not be safe. (Please note, however, that if your program uses a standard file open or file save dialog, you are potentially hosting arbitrary Explorer extensions, so you can't honestly write that manifest entry.)
And on a completely different tangent, 260 characters is over three lines of text. If your paths are longer than this paragraph, I'd say you were using the filename to write a short abstract of the document contents, which is an abuse of the metadata.
"There's no direct flights from the UK to this neck of the woods."
Even assuming there was a direct flight, would that be safe?
Honest question: if a suspected criminal is on an international flight, does international law allow an overflown country to demand that the flight lands on their territory so that the suspect can be arrested? If the answer is yes, Assange needs the willing connivance of more than just the UK.
Most modern routers have a WPS button whose effects only last for a couple of minutes. Why not say that you can only log in during that window? (You could ignore the rule if the user changes the password to something strong enough.)
This is just a repeat of the perennial problem that passwords short enough for the average Joe to remember are not long enough to keep the average Joe's assets safe. It's going to keep coming around until we learn to stop relying solely on passwords.
"er ... isn't the article you just commented on reason enough ?"
I doubt it, since the problem outlined in the article can be avoided by changing the password. No need to stop using the router. Also, the problem outlined in the articled is not fixed by buying a separate router if you put an equally weak password on the second box.
In short: the router is not the problem here.
I think that's the key point. Everyone brings a prior (guess). The frequentists insist that the only legitimate prior is one that expresses total ignorance. The Bayesians are willing to start from somewhere else. Once enough evidence actually turns up to make the prior unimportant, both parties agree. Until then, you don't actually have enough evidence.
"The problem is rather with unlevel crossings."
So you deliberately create a slightly larger hazard in the road on either side leading up to the crossing. That way, no-one can actually reach the crossing unless they are also able to cross it.
(Or has some sociopath got a patent on that idea...)
"The researchers create and run the VMs they use to study malware. They just have to not check the box for encryption."
But the client OS can presumably detect whether that box was checked. Otherwise the system is worthless because you still have to trust the person hosting your VM when they say "I ticked it, honest.". Of course, you then need some kind of way for a client to know that the VMM isn't virtualising the instructions that you are using to detect whether they checked that box. I'm not sure where it all ends.
Makes sense with the timing.
Some minister will want to know what's feasible or affordable so that they don't seem quite so dumb in the negotiations. So they ask a civil servant for some proposals.
The Home Office's answer to everything is a National ID Database, so the civil servant who is given the research task just fills in the most recent estimate for the population of EU citizens in the UK and asks around the usual suspects for quotes/tenders.
Some opportunistic company reckons it is worth a punt maybe hiring a few people so that they can claim to be ahead of the game if things come to fruition. So they post the ad.
The exact requirements in the ad are therefore one company's guess based on one placeholder-proposal from one civil servant from a minister who is only asking because he hasn't thought about it carefully yet.
Those higher frequencies will give you the extra resolution, but only if they can actually pass through the brick walls. (Ironically, this probably means that conventional radar wisdom is mis-leading because conventional radar depends on the opacity (or at least, the reflectivity) of materials to the chosen wavelength, not their transparency as required here.)
The OS can do anything. "Other" software has to play within the permissions granted by the OS.
Well, actually, no. As regular readers of this publication will know, other applications can simply send an appropriate message to the secret web server baked into the CPU and tell the OS to go fsck itself.
But in an ideal world ... just because the OS can do something doesn't mean that anyone else can.
"For the small number of applications that still needed updating, we built a feature just for AV apps that would prompt the customer to install a new version of their AV app right after the update completed.”
So Windows is putting up an ad *telling* users to buy a new version of Kaspersky, and Kaspersky are still unhappy. Sheesh!
"I'd be surprised if overall battery consumption actually went down with compression."
It's possible. The radio is quite power-hungry, which is why there are options to switch it off. Trading radio time for CPU time is a possible win (but I like Firefox's algorithm more).
A hint for Google, since all their ads are targetted, they could probably get away with delivering the same ad multiple times, from the phone's local cache. That would be even more efficient. Looking even further ahead, build some kind of ad server into the phone, which downloads targetted ads in advance when plugged into the mains and using wifi, and delivers them effortlessly during the day when you are on battery and a mobile connection.
"MBAs do -mostly- what the laws allow them to do."
Theoretically, they are also constrained by the shareholders. In practice, the shareholders are the infinitely smart masters of the universe who manage our pension funds, so the actual level of oversight is not experimentally distinguishable from zero.
Can the system be described as "broken" if the actual problem is that no-one is bothering to implement it?
Security 102: The phrase "logged-in" does not mean "physical access". The latter implies that you can dismantle the PC and plug its drives into your own box or something equally dramatic. The former implies nothing more than an SSH session from 10,000 miles away using a low-privilege account.
"from their own families as well as the un-expected opponents."
FTFY.
For modern examples, look at North Korea or (less bloodily) the political party of your choice. (The UK Tories look like the best example right now, despite Momentum's best efforts within Labour.) The plain fact is that once you've eliminated the possibility of change from without, you can be certain that you now face a threat from within.
Smart people might reckon that this is a good argument for remaining open, because it is much easier to see an external threat building up, so you have more time to make yourself safe.
"because the default for MSVC is spaces and it's just not worth the effort to change it."
Is it? I haven't poked around in that part of the IDE for several versions and it always does tabs for me. I must have set it correctly at the beginning of my career and never looked back.
Thirty? Nearer 200.
The feedback serves to define an adhoc merit function and the goal of the "AI" is to find an extremum in that function. That problem is so well-trodden that I can trot out its limitations off the top of my head, as can anyone who has taken an undergraduate-level course in numerical methods.
Problem 1: your extremum may turn out to be a local extremum that isn't very extreme. You then find yourself unable to improve, despite being not very good.
Problem 2: if your feedback is real-world data, it is lying to you (measurement noise). So you can't completely trust it, so you may not be able to find even a local extremum with any reliability.
Problem 3: if you know nothing at all except for the feedback values (so, nothing comparable to an analytical model of the problem space) then the only known methods for finding an extremum are horribly slow.
Of course, these constraints also apply to most real-world problems faced by humans (who we arrogantly presume are intelligent) and it is why Historical Progress is slow and occasionally gets completely stuck until some inspired person manages to take a giant leap in the dark away from the local extremum. (Side note: the very notion of Historical Progress would have been lost on nearly everyone prior to the Enlightenment. We were that bad at it that many respected authorities actually believed that we had been more advanced in the past. Thus we get notions of prehistoric Golden Ages.)
So perhaps these machines are intelligent and we've just got vastly inflated delusions about what Actual Intelligence is capable of.
"Anonymous because of hatemail."
Many of those of us who are paying welcome your free-loading because we recognise that the BBC is quite possibly the best thing that this increasing bonkers country is still doing on the world stage.
Indeed, for many years the World Service was financed by the Foreign Office for precisely that reason. We actually wanted you to listen to our point of view. In more recent years, the UK government has apparently decided that we don't want foreigners to listen to us anymore. Given the behaviour of those governments, that might not have been the wrong decision. A pity though.
Give a ten-year-old a small, battery-powered computer of their own and let them discover some interweb instructions about how to set up their pi-cam so that they can use it over the internet as a spying device.
Hmm ... I'd guess that an awful lot of pis are connected to the net with no thought to security at all.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
