Posts by Androgynous Cupboard

Re: Cheaper

For a man with no feelings on them you post an awful lot on the topic. Doubly surprising given you don’t have one and have clearly never driven one.

Re: Cheaper

Literally everyone on this website understands where in the producer-to-consumer chain the problem lies when electricity is generated with coal. This isn't the Daily Mail.

Again, we get you don't like EVs, but must you continue to be so spectacularly thick with your arguments? You're just adding noise at this point.

> If something is wrong (rarely) they go to their local mechanic and get things sorted. Usually don't need to do anything apart from yearly service and MOT.

Sure, and while they're doing the MOT the loan vehicle is a pink fluffy unicorn. I'm now starting to wonder if you've ever actually owned a car.

> It's not like you buy a new EV and you will have smooth sailing.

Petrol and diesel cars by contrast, literally never fail. They are perfect in every way, down to their cute little button noses.

Look, by now we all get that you think EVs are terrible, and it's clear that those of us that actually have them disagree. So you carry on spinning your fictions. I'm pretty happy with my two fault-free (so far, naturally) EVs. No, they're not Teslas.

Re: So, smart meter joy is continuing

I've posted this here before - you can get MQTT integration easily by purchasing a Hildebrand Glow display. I can confirm the MQTT output works nicely - a message every 10s from the local device, as far as I can tell no internet connection required. £90 or thereabouts last I checked, and works with any supplier.

Obviously they should all work like this and it could be better, but it's probably the best solution we currently have for home integration.

Re: Prodding the bear

Forgot to post this yesterday, which I should have as it's very relevant: https://www.lrb.co.uk/the-paper/v36/n05/andrew-o-hagan/ghosting in the London Review of Books is an excellent if long read, by Andrew O’Hagan - the guy who was hired to ghost-write Assange's autobiography (oh, if only we had a word for an autobiography written by someone else?)

Naturally Assange pulled the plug after O'Hagan had spent about six months in his company, keeping the half-million advance. Canongate published what they had as the "unauthorised biography of Julian Assange", and a clearly bemused O’Hagan was left to write up the story of how it came about a couple of years later. Spoiler alert - you might want to sit down for this because it's a real shocker - he doesn't think too much of Assange.

Well worth a read, he's a good writer and it's bizarre from start to finish.

Re: Graffiti on the walls

> Who are the people painting those and why?

Some anonymous coward with an axe to grind?

Re: Wikileaks

Nope. See my comment above. First, Wikileaks publishes what they're given without any verification or fact checking, which might sounds quaint but it's what separates journalists from bloggers. It's still useful but it isn't journalism, any more than publishing press-releases is. Then he made it far, far worse by selectively editing the helicopter video to show his chosen narrative - massively discrediting Wikileaks in the eyes of many. If it's not an impartial distributor of data, it's just another opinion you can ignore if you disagree witih it.

I like wikileaks. But Assange has done it more harm than the US government ever could.

Re: Prodding the bear

I remember reading an email he'd written to a South American diplomant - and its reply - in the very early days of Wikileaks. Manning was probably still in school. An unusual combination of fawning and arrogance, I recall him suggesting the diplomat "take whatever measures he felt necessary" before the doxxing he was about to pefform, and that he was being informed in advance "out of respect for your reputation".

The response was biting - I remember "what measures do you suggest, exactly? Go into hiding with my children?" or something along those lines, along with his observations on the actual meaning of the word respect. The fact the Assange had used machine translation to convert his original letter into cod-spanish probably didn't help (this was, I think, the 90s?), but he came across as a man that quite fancied himself - in general, but in particular as some sort of super-spy diplomatic player.

This was long before his current noteriety but I came away unimpressed, and have remained so. He has committed the two cardinal sins of journalism - selectively editing the facts to fit a narrative, and becoming the story - and doesn't deserve that title.

Re: “The Land Down Under's”

Occasionally known as "West Island" in New Zealand.

Re: it "does not know the reasons these blocking orders have been issued."

There are so many exceptions to your list I barely know where to begin, but let's start with someone shouting "kill the X" in the street, for any value of X that troubles you. Out society doesn't tolerate this because our society has evolved beyond medieval.

You're welcome to hate anyone you like, but do it quietly. Unless the people you hate are hated because they're breaking this rule, then do it loudly.

"state-adjacent propagandists" - and you thought "left" and "right" were problematic. What a load of plant based, bovine-originating naturally sourced fertiliser.

"their alleged plan included attacking politicians, storming the Bundestag (Germany’s parliament), overthrowing the federal government, dissolving the judiciary, and seizing the military ... Among those arrested were a judge who sat in the Bundestag for the AfD, former soldiers, aristocrats, and former members of the police force"

I have eschewed my usual Guardian source in favour of https://foreignpolicy.com/2022/12/19/germany-reichsburger-raid-terrorism-right-wing-extremism/, in the hope that a vaguely neocon-related source might get through to you. If that's "state adjacent" then so were the Red Army Faction. I appreciate this is the Reichsbürger faction not the AfD, but their relationship is like the National Front and the BNP.

First I've heard of the Overton window, thank you - I like the concept. I'm not sure I totally agree with "decades" - I imagine if you're black, gay, or a career woman then society is a better place for you now than it was in the 70s due to society becoming less accepting of bigotry - I'd call that a "leftward' movement, and I guess Elon would too based on that cartoon. But If you'd said "decade" I'm totally with you.

I wonder how many people would not place themselves in the center in that cartoon? I'm sure even our resident codejunky would put himself in the middle somewhere, outflanked on the left by some and on the right by... uh... well, I'm sure it will come to me eventually. 80% of drivers think they're above average too.

Re: But.. but..

I believe the article was supposed to be uploaded for publishing on the first, but the author didn’t have permission.

Possibly the second geekiest joke I have ever made.

Re: Complexity

Couldn't agree more, and I made exactly the same point on the thread on Friday. My three takeaways from this (and from Log4J, the last big supply chain attack) would be:

1. There is virtue in simplicity. Expenditure on man hours to remove complexity from both code and process is never wasted.

2. If you can do it yourself, do. Pulling in a large library when you only need one function means you're not only increasing your risk, but probably the library is sprawling and badlly designed.

3. Do one job, do it well. For library designers (like myself), don't be tempted to expand the scope. Keep it focused.

Some corollaries are 4), the next time I see someone on stackoverflow say "just use library X" for a simple task I"m going to give them a sound telling off, and 5), the only projects I know of that use the M4 macro library are autoconf and sendmail, and both should forever be associated with security failings. It's time for M4 to be retired in favour of something legible.

Re: Securing Open Source

Thank you, that's very thorough and well worth a read.

Re: If this was sponsored by a nation state

I had that same thought myself. If it was the contributor it currently appears to be, then the infiltration process potentially started 18 months ago. It feels like the ground has just shifted very significantly under open-source development.

Re: Securing Open Source

So now we're 48 hours in and it should now be clear to everyone commenting here what happened. The xz library was attacked. While not normally a component of sshd, it may be optionally included to enable it to communicate with systemd. Our hacker targeted that combination, also requiring glibc (ie. on Linux) for the exploit.

So there are several components required to make this work - xz compression, openssh, glibc and - yes - systemd, but only by virtue of its IPC requiring xz. Is that unreasonable? No. xz is a great algorithm and (along with zstd or brotli) an excellent choice in 2024. Systemd has many problems, but it's not the primary cause of this problem.

Edit: ah, link above showing our likely culprit had a go at attacking zstd too.

Re: Haters Should Be In The Headline, Not systemd

It's not the wrong discussion at all, it goes to the heart of one of the problems with modern software development - over-reliance on dependencies.

This is what happened with Log4J, it's what happens with this issue and it's potentially what happens every time your code has a dependency on another package - you are trusting a third party.

For simple code like "send a message to another process, write it yourself! I genuinely despair that I am having to make such a self-evident point. This is is supply chain poisoning. Reduce your fucking supply, and you might just become a better programmer as well has having software you can audit.

Re: Systemd should be in the headline, not `xz` or `liblzma`.

I'm no fan of systemd but the email also notes that "To reproduce outside of systemd, the server can be started with a clear environment, setting only the required variable: env -i LANG=en_US.UTF-8 /usr/sbin/sshd -D"

Yes, systemd is an ideal attack vector but xz is used in a lot of places.

I have to say this looks like quite a carefully planned and extremely cleverly executed attack so hats off off to the guy. I haven't followed it all but there are binary blobs committed as test files here - test vectors, just the kind of thing you'd expect as part of the tests for a compression library. Then there's some work done later to somehow munge those into the library, a process I haven't entirely followed but which involves the M4 macro library, used by autoconf.

There are a bunch of fingers to be pointed here. Sure, systemd - why not? - but speaking for myself, the last time I fully understood the build process for anything written in C was about the mid nineties. Complexity is the enemy here, and there's plenty of it about.

Re: What about the culprit

This one? https://github.com/tukaani-project/xz

This repository has been disabled. Access to this repository has been disabled by GitHub Staff due to a violation of GitHub's terms of service. If you are the owner of the repository, you may reach out to GitHub Support for more information.

Re: Photo ID in UK

Downvoted already I see. Just goes to show that bears dressed as people are not just voting, they are reading The Register. Something must be done, poking people with sharp sticks is something, therefore it must be done.

Re: Photo ID in UK

> Stopping voting fraud is a good thing and is only opposed by people who must be assumed to benefit from it.

What's also a good thing is stopping bears dressed up as people from voting. Why is no-one doing anything about this? We should be poking everyone with a sharp stick when they vote to see if they growl. Anyone opposed to this must be a bear!

May I direct you to this now classic article by Matt Taibi: https://www.rollingstone.com/politics/politics-news/why-isnt-wall-street-in-jail-179414/

Re: Force of Islam

I think that's exactly the point the author is making. The story of it being burned by islamic invaders (because it "either agreed with the prophet and was therefore unnecessary, or disagreed with him and was therefore sacrilegious" if I remember the quote) was an anecdote that spread because people wanted to believe it, but is nonsense. Most of the damage had been done when Caesars troops (probably) lit fires that spread back in 48BC, 700 years earlier. By the 640s whatever remained of the library was no long significant.

Most of what we know about many ancient texts from Sophocles, Plato, Euclid etc. come from translations made from the Greek into Arabic by muslim scholars - they're doing the exact opposite of burning books, they're preserving them. But Christianity was threatened by Islam, so propaganda triumphed over facts. And it still does today.

Re: @Doctor Syntax

They were also the days of women-know-your-place, page 3 pinups on the wall, Section 28 and "no blacks no irish".

The trouble with nostalgia is it ain't what it used to be.

Re: It's deja-vu all over again ...

> Under GDPR, personal information should be "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality')."

Does it have a password to access it? Do they have a backup? is it scribbled on the back of envelopes, or left unguarded on an open-plan desk? No, no no, therefore it meets the requirements.

While I get the database is shit, I'm not sure the GDPR has a problem with shit.