* Posts by Ken Hagan

8137 publicly visible posts • joined 14 Jun 2007

Mouse sperm kept frozen in SPAAAAACE yields healthy pups

Ken Hagan Gold badge

Re: A bit gimmicky?

If I might add two further points...

Embryos are fully immersed in liquid and bouyancy means that the net effect of gravitation on the developing embryo is zero even for an elephant on Earth.

The likely importance of radiation on a developing embryo is so large that even if the mice had emerged hideously deformed, we'd assume that it was the radiation rather than the micro-gravity. We're therefore in the situation where we learn nothing about the effects of micro-gravity regardless of the result of the experiment.

Ken Hagan Gold badge

Re: A bit gimmicky?

The opening half-dozen paragraphs of the article state quite clearly that the purpose of the study was not these second or third order effects, but rather the irradiation that I mentioned. Even if it hadn't been, how would you test a mouse for a mild impairment to some as-yet-unidentified aspect of its general health? It's not like you can give them a questionnaire when they grow up.

It is universally accepted (and fairly easy to argue with a back-of-the-envelope calculation) that gravity just isn't very important for small creatures and is vanishingly unimportant on the scale of a developing embryo. Whilst it is nice to check universally accepted wisdom from time to time, it seems rather poor value for money to test this one in this particular way. I genuinely hope that this work has either been grossly mis-reported (which is quite common and not necessarily the fault of the last reporter in the chain) or was not funded from the public purse.

Ken Hagan Gold badge

A bit gimmicky?

Can't help feeling it would have been easier to irradiate the sperm down here on Earth.

Google wants to track your phone and credit card through meatspace

Ken Hagan Gold badge

Won't prove a damn thing

Since the data is anonymised, no third party can check Google's analysis without "taking Google's word for it" on a whole range of questions around the data collection and accuracy. If you are prepared to take Google's word for it on this or any other issue, this data won't make you any more likely to trust them. Therefore, the exercise is useless for the stated purpose.

So, Google, what's the real purpose?

Redmond puts wall around Windows 10 for Chinese government edition

Ken Hagan Gold badge

Those features sound like things that the Chinese government might like its general population to benefit from, too. I wonder how long it will be before this becomes the plain "China Edition".

Netgear 'fixes' router by adding phone-home features that record your IP and MAC address

Ken Hagan Gold badge

Re: Similar technical data

@FuzzyWuzzys: That sort of hopeless guesswork is probably why I get geo-IP-ed to Bracknell. Perhaps you live in a country where there are such things as "local ISPs". I can't think of any in the UK.

But the real problem with your algorithm is that is uses existing geo-IP knowledge to locate the router, which makes the information that Netgear have collected utterly worthless to people who do geo-IP, which is what was being suggested.

Ken Hagan Gold badge

"You forgot BT and Vodafone."

No. The OP said "updating".

Ken Hagan Gold badge

Re: Similar technical data

"flogging all the MAC addresses [...] to all the geo-IP companies they can find."

Not much use unless you know the location of the router. Netgear don't. The ISP (probably) does. Likewise, the location of connected devices is only useful if you know that they stay connected at that location, and mostly these days they don't.

No nudity please, we're killing ourselves: Advice to Facebook mods leaks

Ken Hagan Gold badge

Well what other rules are there? Not legal ones, that's for sure...

"*All material cited is in English. Moderation guidelines for other countries will be required to follow local laws."

How fortunate for FB that all English-speaking countries have the same local laws.

Wannacry: Everything you still need to know because there were so many unanswered Qs

Ken Hagan Gold badge

Re: SMB shares

Perhaps those large organisations allow VPN access. Then you could have non-internet-facing SMB shares exposed to a box that might (for some other reason) have been internet-facing at some point in the recent past. For example, a GP's surgery might have an old Win2k8R2 server that has been mis-configured and no-one is really paying attention, but it probably does have access to the interior of the NHS network.

Do we need Windows patch legislation?

Ken Hagan Gold badge

"By that only 4 years support argument why buy Windows 10?"

Well, yes. Why? It's not a foregone conclusion.

On the other hand, if MS stick to their stated aim of Win10 being the last Windows you will ever buy, they've adopted essentially the same model as Linux:- No given release is supported for more than a few years, but an upgrade to the latest release is free and usually runs all your stuff.

(Possibly this is why Win10 is now so annoying. MS aren't making any money out of it so they might as well use it as a public beta for all their crazy ideas. The distinction between "current branch for consumers", which makes no money and gets all the shitty experiments, and "current branch for business", which makes money and perhaps skips the experiments that didn't work, would suggest that this is exactly how MS now feel about their former cash cow.)

Ken Hagan Gold badge

If your x-ray machine's certification depends on certain machines being present or absent elsewhere on a network then I have to question whether the certification is sane, but even so, you just provide the network environment required by the certification and then place my device outside of that.

There is simply no way that a need to transfer data from A to (eventually) B requires that A be placed on the same network as B.

Ken Hagan Gold badge

Re: Motor car recall

Fine as long as you realise that the entity analogous to the motor vehicle manufacturer in these cases is the company that makes the medical equipment, of which a Windows OS is merely a component part.

It is the job of an engineer to create a more reliable whole out of less reliable parts. Otherwise every chain would only be as good as its weakest link.

Ken Hagan Gold badge

Re: Would we excuse the manufacturer and allow unsafe vehicles on the road?

"If you were a government spying agency and found a back door to take control of other peoples' computers, would you let on?"

I'd have to ask whether this was the sort of vulnerability that my rival agencies might also be able to find. (Hint: much of the Windows source code has actually been made available to foreign governments at various points in history, so the answer is a bif, fact YES.) I'd also have to ask if my fellow countrymen might therefore be at risk from the activities of that rival agency.

Given that the West has, historically, made far more use of computers in their economy than the East, I'd say that the NSA *ought* to have been erring on the side of disclosure (to MS) for most of the last 30 years.

Ken Hagan Gold badge

"the x-ray machine needs to send its output to a server"

So it sends it to a cheap linux box containing two network ports. One port goes to the x-ray machine and the other goes to the wider network. Run a script on the linux box to move files onward as required. As far as the x-ray machine is concerned, nothing has changed. As far as malware on the wider network is concerned, it now has to break into a linux box before it can even see that there is an x-ray machine on the other side.

Yes it is slightly more complicated, but once you've worked out the details you can semi-isolate lots of similarly challenged pieces of kit. (Perhaps the chaps at http://www.nhsbuntu.org could help you set it up.) Yes, it isn't perfect isolation, but it is a perfectly valid component in a layered defence. Yes, it is a pain in the butt, but if it were my job to protect the IT of an entire hospital and I had the constraint of accomodating an XP-driven device, I'd reckon that something like this was what I was being paid for.

Ken Hagan Gold badge

@big_D: I have, for many years, maintained a small collection of VM images with different versions of Windows. Whenever I work on them, I snapshot them first and revert afterwards, so as far as each VM is concerned, the only thing I have ever done to it is wake it up once a month, let it update and then put it back to bed.

Several machines (two Vistas and two Win7s) have actually just updated themselves into oblivion under this "cruel regime". That is, they reached a state where they blue-screened at startup and this was repeatable if I reverted to the previous image and let them try eating that month's updates a second time.

Of the survivors, the XP machines were taking several hours each month by the end (2014-ish) and the Win7 boxes that remain are taking quite a while each month now as well.

Ken Hagan Gold badge

Re: All products have a support life

Good analogy, but it doesn't lead to your desired conclusion.

Cars are built from components. If the company that makes the brake sub-assembly finds the fault and notifies the car manufacturer, it is up to the car manufacturer to issue the recall because it is the car as a whole that has to meet consumer trading standards.

Likewise, the MRI scanner vendor can say "Don't attach my scanner to the internet" and then any vulnerability in the component (XP) is not relevant to whether the whole (scanner) is deemed to be working correctly.

Yo, patch that because scum still wanna exploit WannaCrypt-linked vuln

Ken Hagan Gold badge

It's worth following the link in the article

Rapid7 have some nice graphs showing what and where. It seems that Server 2008 R2 (with only service pack 1) accounts for about half of all directly connected Windows boxes.

That perhaps isn't surprising, until you realise that these are the subset of Windows boxes that have a completely clueless owner port 445 open.

US judges say you can Google Google, but you can't google Google

Ken Hagan Gold badge

That big G...

We don't have proper verbs in English, so you can't "Google" anything without offending a grammar nazi. If Google want to protect their name, they should insist that people google with a trademark annotation.

WannaCrypt 'may be the work of North Korea' theory floated

Ken Hagan Gold badge
Thumb Up

Re: Excuseotron

Up-voted for the splendid hashtag.

Ken Hagan Gold badge

Re: Dear Leader

I think "Dear Leader" is now "Dead Leader". The current incumbent goes by the moniker "Fatty Kim", at least on Chinese social media.

Ken Hagan Gold badge

Re: Naive Question

"The bigger issue for things like medical equipment is probably the drivers."

Possibly. I don't recall seeing a "Medical" device type in Device Manager. There may be some medical devices that ship with a bespoke "interface card", particularly the really old ones that were built for DOS, but I would hope that the majority of devices written in the last couple of decades communicate with more sane options like RS232 (now carried over USB and supported by every OS on the planet) or an ethernet cable (similarly universal).

It might take time to validate any new configuration, so that you can tick the box labelled "Doesn't kill the patient", but I doubt whether device support is the blocking issue for that XP->whatever roll-out.

Ken Hagan Gold badge

I agree. If your reduced to using the timezone as "evidence" then you scraped your way through the bottom of the barrel a long time ago. A more plausible conspiracy theory is that the NSA have just noticed that most of the world's XP systems are in countries they don't like and later systems can be protected if MS can be persuaded to put out a patch two months before the attack. (If you want a soundbite, they've weaponised Microsoft's update policy.)

But a vastly more plausible theory still is that some normal crook decided to strap a ransomware payload on the back of a new exploit they found on the interwebs. There are *far* more crooks than there are nation states, so the odds are *always* in favour of the mundane explanation.

Ransomware scum have already unleashed kill-switch-free WannaCry‬pt‪ variant

Ken Hagan Gold badge

Re: Inevitable

"Because the likes of the FSB & PLA must be too stupid to have also discovered these types of vulnerabilities."

If they knew about them, they didn't do a very good job of protecting their own gear from them.

For now, GNU GPL is an enforceable contract, says US federal judge

Ken Hagan Gold badge

"That since it did not sign anything when it downloaded Artifex's software there is no contract to be enforced."

That's a very odd argument. Do you think it would work if I downloaded Windows and then tried to argue that I hadn't signed anything?

74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+

Ken Hagan Gold badge

Re: Kill switch

More likely, it didn't occur to them that any of these "tools" had kill-switches. Presumably now that will occur to them and they'll flick the switches for all the other exploits they've lost. It would be gross negligence not to, since part of their mission is to protect US IT systems.

Ken Hagan Gold badge

Re: Rogue One ...

I doubt it. Since this has become a long comment thread, let me re-iterate a point that someone else made further up. If you are the NSA and intending to use this against a particular target, you want a kill switch that you can register once you've hit that target, to stop your weapon becoming any more public than it needs to.

Also, to answer another query from further up ("why include a kill-switch when you can't register it without disclosing your identity"), if you are the NSA and you register a garbage domain name, no-one is going to know why or try to arrest you even if they do.

It is a little odd that someone adapting this software to a very different purpose, requiring as large a target as possible, chose to leave the kill-switch in (and in the clear). Perhaps they didn't understand the code they were using.

Ken Hagan Gold badge

Re: Hunt to blame for NHS attack

"MS does still support, if you pay..."

Not sure about that. The original offer was $200 for the first year and $400 for the second and $800 for the third, per seat. That third year ended a few weeks ago. I've not seen any mention of a fourth year, at any price, to anyone.

Refs:

(2017) https://www.theregister.co.uk/2017/03/17/microsoft_to_kill_windows_vista_april_11/

(2014) https://www.theregister.co.uk/2014/01/14/win_xp_uk_gov_hacker_deadline_miss

Ken Hagan Gold badge

Re: Amazing you can leave the SMB port open

"Also, one questions why file sharing is necessary in these days of web and other fat client based apps."

File sharing is a client-server app. The end-user-facing client is a file browser rather than a web browser. Some programs (particularly older ones) are designed to speak http, others are designed to speak to the "local" file system. Re-writing all those programs to fetch their data over http would merely expose them to a different set of holes.

Ken Hagan Gold badge

Re: And we'd sure appreciate it if you could stop clicking on attachments

"stage one of Really Good Security: you have left your ego at the door."

Stage two is to persuade all of your user base to leave their egos at the door, too. In an organisation as large as the NHS, stuffed (er, staffed) with doctors and surgeons for whom self-confidence may actually be a job requirement (who here feels brave enough to knock a person out to within a gnat's breath of death, then stick a knife into them and cut out some of what you find?), I fear that stage two may actually be impossible.

Ken Hagan Gold badge

Re: You are missing the point

"They now are not going to get any money."

Too right. It would be fair to assume that most of the world's major intelligence agencies (particularly the Russian one, which isn't noted for its light touch against Enemies of the State) are now waiting for someone to try to pick up the cash. If there's anyone with balls big enough to march in and claim it, we'd probably be able to feel their gravitational field.

Well this is awkward. As Microsoft was bragging about Office at Build, Office 365 went down

Ken Hagan Gold badge

Re: Numpties.

"Ohhh, so, Microsoft is paying damages to all affected, then ?"

Have a "Whooosh!" on me. You can share it with the other down-voters.

Ken Hagan Gold badge

Re: I'm in Texas

Perhaps they felt that providing a map, with state boundaries and fuzziness in affected areas, made it unnecessary to expend the proverbial thousand words on a more detailed list. (Just as you didn't explicitly say that you were an O365 user.)

Ken Hagan Gold badge

Re: Numpties.

"Remind me again why I should trust a company with centralized control of my data"

You should trust them because the penalty clauses in the contract make it really bad for them if you suffer any kind of outage and so they'll make every conceivable effort to deliver. Just like any other kind of service or product that you buy in from outside, in other words. Businesses have been doing this for years and I really don't see what the fuss is about.

Obviously it would be bonkers if you didn't have any such clauses in the contract ...

UK hospital meltdown after ransomware worm uses NSA vuln to raid IT

Ken Hagan Gold badge

It proves a point that many people here have been making since XP went out of support. *Every* patch from MS that fixes holes in a later version of Windows reveals a weakness that might exist in XP. MS have therefore been publishing exploits against XP for several years now. I believe the NHS's special deal to continue to receive patches expired quite recently. This is an entirely predictable result of NHS management's failure to have any kind of plan for moving off XP.

Microsoft's Windows 10 ARM-twist comes closer with first demonstration

Ken Hagan Gold badge

Re: Isn't Google unifying Android and ChromeOS as well?

"The temptation of a single line is strong, because it means to save on development costs."

You (as well as Google and all the rest) should distinguish between unifying at the API level and unifying the end-user shell or skin.

The former is probably essential if you want to attract developers to a "new" platform. Simply trying it out needs to be no more than a compiler switch. If they see potential in the results, they will be willing to tweak their code for the "extreme device metrics".

The latter is utterly counter-productive, precisely because of the extreme device metrics just alluded to.

Ken Hagan Gold badge

"Instead of the 7-Zip installer, how about a full PC benchmark suite?"

Prediction: Not only will MS not do that, they will write words in the EULA which try to stop anyone else doing that and publishing the results, like they did with .NET. (I don't know if that language is still there, but the first few versions were certainly "If you benchmark the software then you will get MS's permission before publishing the results." type of thing.)

I assume that such clauses are unenforceable, but IANAL, as they say.

Cloudflare goes berserk on next-gen patent troll, vows to utterly destroy it using prior-art bounties

Ken Hagan Gold badge

Re: bow and arrow - good!

The architecture described in the article is an HTTP proxy. Clients connect to the proxy which accesses the actual website behind the scenes and then the proxy delivers possibly modified content back to the client. The client never accesses the actual website. That's the whole point of the proxy.

So would there be any prior art for HTTP proxies around the 2002 timeframe. Well ... I suppose there's always the RFC that describes how HTTP has been carefully designed to make them possible. Would that count?

That's a serious question, by the way. In the sane world where you can't just grab an existing public standard and announce that you own it, of course it counts. In a US court hearing an IP case? Hmm ... much less clear cut. We shall see.

Microsoft touts next Windows 10 Creators Update: It's set for a Fall

Ken Hagan Gold badge

Cycles of re-invention

This Microsoft Graph rubbish sounds like it is intended to create an experience where it doesn't matter which device you used to create something, or which device you are now using to access it, and perhaps both at once. In such a brave new world, one might say "The network is the computer.".

As I recall, *that* failed partly because people didn't much like having all their stuff on someone else's server and partly because the wire between you and that server was a piece of wet string compared to the various high-speed busses in a PC. Neither of those objections seems to have gone away.

Oh, great: There's a new Same Origin Policy exploit for Edge

Ken Hagan Gold badge

This, and the other thousand exploits against JavaScript's security model that have dribbled out at a steady rate over the last 20 years, is why "HTML5 apps" are a bad idea.

Theoretically, there's no intrinsic problem that anyone can point to. In practice, when the world has spent 20 years trying to plug the holes and is still failing several times per month, there comes a moment when rational players ought to conclude that there perhaps is an intrinsic problem and it is simply that we don't know what it is.

It's 2017 and Windows PCs are being owned by EPS files, webpages

Ken Hagan Gold badge

Re: Why does Microsoft still try and integrate applications into core OS

There is no such integration. All the apps you mention are user-space and no more privileged than anything you can buy from third parties (like me). Even Explorer only has the property you mention because it is the user shell. (I'm not sure where you get the idea about IE. It's totally separate. Not that anyone would ever want to run it as a full Administrator, of course.)

Tip: If you *do* want an administrative copy of Explorer, fire up something harmless (like NOTEPAD) with full privileges and use the File Open dialog.

Ken Hagan Gold badge

Modern software philosophy

I'd dispute "modern" and "philosophy". I have been watching people complain on the internet about the low quality of "modern" software for the last 25 years. It both puzzles and amuses me.

It has always been the case that software written for cash has taken the business-like approach of asking "how much will this bug cost to find (let alone fix) and how much will it cost to leave it in". You test until finding new bugs becomes unacceptably costly and you hope that the bugs left in will be relatively low impact as a result.

All commercial anything has used this approach since forever. It's basic economics. Happily, we can use equally basic economics to conclude that if you negotiate penalty clauses for bugs, you can increase the incentive to find and fix them before release. Since most shrink-wrap EULAs go out of their way to say "this software is not fit for anything" I think you can probably guess where the bar lies by default!

America's mystery X-37B space drone lands after two years in orbit

Ken Hagan Gold badge

Re: Astonishing what you can do when you learn from experience.

"kudos to the USAF for rescuing X-37 from the shitcan that NASA threw it in"

You mean kudos to Congress for diverting chunks of NASA's budget to the USAF's "off balance sheet" piggy bank. Er, yeah, kudos of sorts, I suppose.

Ken Hagan Gold badge

Re: Long flight

Except that this shuttle is the payload rather than the vehicle and being able to launch the same payload twice is hardly rocket science.

The launch vehicle is a distinctly non-reusable rocket. There are no re-usable spacecraft and existing propulsion technology provides no means to build any such.

Ken Hagan Gold badge

Re: it is unlikely that it carries any weapons... cough... cough...

"The energy released by whacking something with 15kg at 18km/s collision velocity is roughly equivalent to a kiloton of TNT."

Actually, Google says 1 kiloton is 4TJ, and I think the KE of 15kg at 18000m/s is about a thousandth of that. This makes sense, because it was several hundred tons of chemical energy that put the payload up there in the first place, so it is reasonable that it would have a ton or so equivalent of KE once it is up there.

But you don't need the ion gun. Just let a small lump of payload hang out of the side of your satellite and "encounter" the target on a non-glancing trajectory. The relative velocity will provide plenty of destructive power and you can blame it on space-junk.

Sorry, Dave, I can't code that: AI's prejudice problem

Ken Hagan Gold badge

Re: Can we stop using the term AI please ?

"We don't have AI. Stop using the word."

I sympathise, and have posted similarly in the past, but those two sentences don't actually conflict.

Yes, we don't have AI, but that doesn't necessarily mean people should stop using the word. "AI" and "algorithms" and "machine learning" have (in certain contexts) become pretty accurate markers for "You can stop reading now, unless you are really bored and enjoy a good laugh."

.

Ken Hagan Gold badge

Re: Transparency...

"All I'm asking is why people think that that cannot be logged and output - ie why the AI cannot explain how it arrived at an outcome."

That log would be perfectly easy to generate. However, it would take you weeks (or more) to read it and you would be none the wiser at the end of the experience as to why the computer had said "no".

Put another way, the computer does not have a reason, it merely has a very long calculation. Many moons ago, its designer discovered that the result of the calculation was fairly well-correlated with his or her own prejudices, at least on a test data set, and that designer therefore decided to use it as a substitute for making the decision themselves.

As long as everyone understands that it is a mere corrrelation on a mere test dataset and is being used as a substitute for an equally (but differently) flawed process of human judgement, there isn't a problem.

How to remote hijack computers using Intel's insecure chips: Just use an empty login string

Ken Hagan Gold badge

Re: bloody c language

"That is a problem in the compare routine. If the length of the strings is different it should return a mismatch."

It is not a compare routine. That's the mistake that the programmer made. strcmp() is a compare routine with the semantics you describe.

strncmp() is explicitly a "just compare, at most, the first n characters" routine. To be honest, I can't imagine that this is a common enough requirement to justify inclusion in any kind of standard library, but it's probably a historical accident and we're probably stuck with it now. One could, I suppose, mark it with some compiler extension like __declspec(this_does_NOT_do_what_you_think_it_does) and a stern note in the manual explaining why, but idiots switch off compiler warnings and don't read manuals.

Ken Hagan Gold badge

Re: strcmp

Possibly because some well-meaning-twat in the compiler division wrote a non-standard "deprecated" attribute into the string.h header file and so any attempt to use strcmp() is now rewarded with a compiler warning whereas using a less-safe-but-more-obscure function compiles cleanly.

Actually, strike that. Almost certainly because of the above.

Ken Hagan Gold badge

Re: Probably best to not have IP6 enabled on an server Intel box or have it in DMZ!

"Yet another reason why NAT a firewall is still important and exposing stuff via IP6 any non-firewalled network protocol you care to mention is maybe not so smart!"

FTFY, as they say.