* Posts by Adam 1

2545 publicly visible posts • joined 7 May 2012

London Mayor election day bug forced staff to query vote DB by hand

Adam 1

Just tried kmacs suggestion but got

Winner

------

False

True

Screw this. Going to stackoverflow to get a proper answer.

Adam 1

That query isn't very helpful

Winner

------

False

False

False

True

False

False

False

False

Lester Haines: RIP

Adam 1

Re: Shame, he was still young

Or automatically applied to any post with exactly 55 votes.

Buggy vote-counting software borks Australian election

Adam 1
Pint

Re: WTF?

@John Savard,

The algorithm you describe is for the house of representatives vote, but the Senate works differently because there are multiple "winners".

The way it works is that a quota is established by determining the number of voters divided by the number of positions+1. In say NSW, there are just shy of 5 million voters and there are 12 senators in this election. Therefore the quota in NSW is going to be (5M/13) + 1 ~384616

In the first pass, everyone's first preference is counted.

For those people/parties that exceed that magic number, they get a seat (or 2 or 3 or whatever until the remaining are below that magic number). Say a party got 500,000 votes. They would pick up a seat, and 115,384 votes would be transferred at a weighting of 115,384/500000 = ~23% to the second pick of all of those 500,000 people.

That action itself may even allow another person/party to reach quota and give them a seat. Once all the "transfers" are done, the candidate with the lowest count is eliminated ("excluded"), and their votes are transferred to the next preference of the voter.

If this causes someone else to reach quota, the transfer happens again (recursively if that causes another to reach quota too).

If no-one else can reach quota, the next lowest is eliminated and their votes head down to the next preference.

And round the circle we go again.

At the end of this process, all positions will be filled.

The process is complicated, but does hopefully provide a representative result. The big complaint (apart from a sore head trying to take all that in) is that those preference flows for the majority of people who vote "above the line" are opaque as a result of the horse trading that goes on between the parties.

The basic reason for this process though is that similar leaning parties would otherwise end up splitting the vote.

Adam 1

open source now

There's is no excuse for proprietary closed source vote counting systems.

In 2013, about 1000 votes in Western Australia were lost. Due to the preference flows, it got a choke point about a zillion candidates down where a handful of preferences of voters of certain micro parties multiplied out to a radically different results. After computer modeling of likely patterns, they determined that those lost votes really could have changed the senate make up. So millions were wasted again asking that state to vote again.

The AEC really needs to step in here and support efforts to build a citizen reviewable, auditible, block chained vote counting system. Transparency is the key to free and fair elections.

Oh, and Antony Green is a bloody genius.

Liberal MPs paid AU$2,500 a YEAR to donor for electoral software licences

Adam 1

Re: Who's behind it?

Reported elsewhere and a bit of googling later, ALP use this mob Seems to be some union involvement but at least on the surface seems like it's arms length.

In terms of parakeelia though

"Its directors include federal Liberal director Tony Nutt and the party's federal president, Richard Alston."

and

"Last financial year, Parakeelia transferred $500,000 to the federal Liberal division, making it the party's second-biggest single source of funds"

So it's quacking and walking like a duck, but by all means draw your own conclusions.

Microsoft's paid $60 per LinkedIn user – and it's a bargain, because we're mugs

Adam 1

Re: Just sit still, this won't hurt a bit.

Ah. I see. Visiting LinkedIn is the new way that you can opt in* to GWX. Got it.

* Come on, it's no worse than their current definition of opting in.

RIP ROP: Intel's cunning plot to kill stack-hopping exploits at CPU level

Adam 1

Re: Silver Bullet

My password used to be password, but I changed it to dadada.

Bill Gates cooks up poultry recipe for Africans' paltry existence

Adam 1

Re: Automatic Updates.

Wait shouldn't there be a duck between the turkey and the chicken?

Microsoft has created its own FreeBSD image. Repeat. Microsoft has created its own FreeBSD image

Adam 1

Re: Hmm...

Oh don't mind that. It's just a temp folder for gwx

Fiber optic cables prove eyes of glass squids are like invisibility cloaks

Adam 1

if they really want fibre to become invisible...

Perhaps they could have a quick chat to the good folk at nbn. They seem to have found a way to make lots of promised fibre disappear.

'MongoDB ate my containers!'

Adam 1

For those who missed the joke

https://youtu.be/b2F-DItXtZs

(Language warning)

Adam 1

mongo didn't eat anything

Now I'm not a fan of the NoSQL fad, but Mongo worked exactly how all NoSQL databases work by design. They trade off transaction isolation for performance. Or put another way, why do you think that these things can be faster than a traditional rdbms? It's defined by the very overheads it can disregard. It is a terrific compromise for certain types of problem but people really need to stop using it for problems requiring ACID.

As for "write your software with the above race condition in mind", that's kind of backwards advice. If you write your own locking or serialisation, I will promise you here and now that it won't be as efficient as the rdbms that you are trying to avoid in the first place.

Behold the zettabyte internet

Adam 1

> Total traffic on the internet this year is going to surpass the one zettabyte mark

And that's just GWX doing its thing on all those folk who thought that they had hidden the update.

Why does an Android keyboard need to see your camera and log files – and why does it phone home to China?

Adam 1

Re: Almost every app I consider for installation

Android 6 permissions model works differently. You don't grant any permissions* until the app tries to use that feature (basically the same as iOS). You can also retrospectively revoke permissions even on legacy apps (which may cause them to crash, but my personal experience is that most of my apps survived the denial of things that are not functionally related to the app's purpose)

* admittedly that's Google's version of any, meaning it can still do network etc.

Mark Zuckerberg's Twitter and Pinterest password was 'dadada'

Adam 1

Re: Re-Secured?

> Bet you a pint they just added another da?

Nope, changed all the a's to @.

Adam 1

Re: Making a hash of things

> If anyone manages to break into or steal the database, all they have is hashes, from which it will be very hard to reverse engineer the password itself.

Before throwing stones here, a consumer grade GPU can compute 18 billion (yes with a B) sha1 hashes per second. Most English dictionaries have between 80 and 500 thousand words for some perspective. Or the hash of every possible 5 character password within a second. Very hard should always be understood in context of available number crunching capabilities.

But yes, there is a good chance that the passwords were not hashed enough times with sufficient salt.

It is also a really dumb password and was reused at multiple sites.

Computerised stock management? Nah, let’s use walkie-talkies

Adam 1

Re: Do you have any tea?

> Just because all beer is made from hops, water, yeast and barley does not mean all beers are the same!!!

Certain American versions seem to contain exceptional quantities of the second. Other Aussie brands mix them so terribly that they have to export them cause they're is no way WE'D actually drink that crap.

Adam 1

Re: 9 1/2 shoes

> I guess centimetres and the like vary from country to country??

Would that be African or European centimetres?

Why Oracle will win its Java copyright case – and why you'll be glad when it does

Adam 1

Re: Oracle asking for "non proportionate share of revenue"

The fact that it "used something that is basically Java" needs to be broken down a bit because that indeed contributed to the success. The important part of the "basically Java" from a skill transfer perspective is that the API is the same. For example, if you are looking at the String class, a newcomer won't care whether the substring method is the same or different internally, just that the method name, overloads, parameter names and types are the same. It's this API that would have fair use defence, so by that argument, the popularity is based on something that'd qualify for fair use.

Google play is a red herring. You don't have to pay Google anything to sell an android app unless you want them to host it in play. You can alternatively side load it or push it via other android stores by the likes of Amazon, Samsung. It is a hosting, supposed vetting, indexing and processing fee, not a licence fee.

Adam 1

I see this as a bit of a pox on both their houses. Oracle has every right to assert ownership of the *implementation* of the methods that they write and choose to licence it however they wish. I agree with the author on that point; that it equally protects copyleft code. But they cannot copyright the API itself, that is, Google can use the interfaces, structures, data classes, method signatures necessary to deliver the functionality specified by the API but must write their own implementation of those or licence it appropriately.

Oracle are being a bit tricky by omission. If they were being honest about it they would asset Google's right to the interface "code" and reiterate that their complaint is about the implementation code only. But I suspect that would drop the lines of code violation quite handsomely if they don't count those. If I was in oracle's line of business with some other global 3 letter megacorp that could claim ownership on a rather significant API and would therefore be making that distinction at every opportunity.

Google are being tricky here by pretending that some of the items weren't copied. Notwithstanding that for trivial methods, the same code can quite easily be independently written and that with the advent of refactoring tools that just renaming variables to make it look different might only take a few seconds, it certainly looks suspicious to me.

Oracle are also asking for what seems to me to be a non proportionate share of revenue here. I work with two pieces of business software weighing in at give or take 3 million+ and 500 thousand+ LOC, and that is nowhere near the complexity of a modern operating system. It's got me thinking about the status of snippets provided on stack overflow too. I can well imagine a number of methods that are heavily inspired by answers in similar forums. 11 thousand, whilst significant, is likely to include many fair use elements and even o methods that Oracle may find that someone else invented.

Oz PM's department red-faced after database leaks in the cc: field

Adam 1

Certainly not the quantity of emails that could be called a database. Do their systems not have safeguards to bounce if too many addresses are in the To or Cc fields?

8K video gives virtual reality the full picture for mainstream use

Adam 1

questions before I buy one

For how long will Samsung provide security patches for it?

How long will Samsung guarantee to keep any services alive that are required for it to function?

'Windows 10 nagware: You can't click X. Make a date OR ELSE'

Adam 1

The next version of gwx will be renamed to taskkill.exe. It will have some optional switches though, like /F(orce) and /IM(mediately).

Samsung: Don't install Windows 10. REALLY

Adam 1

Re: @Michael Habel - What an absolute

> Except maybe systemd

I see your systemd and raise you a svchost!

Bitcoin to be hammered – in an auction, that is

Adam 1

Re: What's the point?

> At a discount I would have thought

Good idea. It might be hard to work out just how big a discount is needed though. Too little and they won't sell. Too much and they won't make as much as they could have. I have an idea. Perhaps they could just offer to sell it to whomever offers the highest amount?

Victims stranded as ID thieves raid Aussie driver licences

Adam 1

Yes. By all means require/hold that number. Just stop tricking yourself into believing that knowledge of it somehow authenticates the holder of that information.

It's kind of like your date of birth. It's a data point about someone but it is unchangeable and hardly secret.

Additionally, licence numbers are almost certainly vulnerable to enumeration attacks. Something amiss with a licence number should be a red flag to investigate a bit deeper. No more. No less.

Adam 1

It feels really weird to be standing up for the RTA or whatever they call themselves these days, but it seems to me that fingers are pointed towards the wrong people.

There are two numbers, a licence number and a card number. The card number changes each time that a new card is issued, so can be in effect "cancelled". Why are credit agencies etc using the licence number if they are a target for identity thrives? There are many reasons why someone needs to share that ID. Just try signing up for any service, setting up any account, superannuation fund, insurance, loan, school enrolment for your kids or whatever without having to provide it to be photocopied.

UK eyes frikkin' Laser Directed Energy Weapon

Adam 1

Poncey McPonceFace*

* Yes I'm aware how Ponce is pronounced

Microsoft won't back down from Windows 10 nagware 'trick'

Adam 1

the craziest thing about it is

If not for the rampant, er telemetry, and gwx, it's actually quite nice. I would even be recommending it save for the frankly frightening way they are behaving here.

It reminds me of a dog chasing a car. What does it actually think it will achieve by upgrading my media centre PC to a version that doesn't support media centre?

If the upgrade had three buttons

Yes, upgrade

Not sure, ask me later; and

No, don't ask again

We would be praising them.

Judge torpedoes 'Tor pedo' torpedo evidence

Adam 1

> Unknown to Michaud, at the time he's accused of viewing the material, the server was already under the control of the Feds.

Shirley that sentence is getting pretty close to libel. I'm making no assumptions about whether he is guilty or innocent here, but one would expect the whole point of the defence argument was that he never accessed that site. If that is true (presumption of innocence and all that) then it would make no more sense than pointing out that Chirgwin did not know at the time that Michaud is accused of viewing...

The point here is that "we have secret evidence that proves his guilt, trust us" doesn't cut it. Perhaps with the opportunity to review and contest the evidence, an innocent man could be spared from unjust punishment, or perhaps it proves guilt beyond reasonable doubt.

Goats boost solar power

Adam 1

Re: GPS

Actually, I think they are using Grass, Leaves, Or Nutrition for Donkeys; or GLONASS for short.

Adam 1

Re: The trouble with goats....

There you go folks. Straight from the horse's donkey's mouth

Google-backed solar electricity facility sets itself on fire

Adam 1

Re: Predicting Problems

> If it needs to work in case of power loss it should be driven by a bunch of cylinders with compressed air

Yeah, it's not a PV array. The tower already contains thousands of L of superheated stream because, you know, it's kinda how the whole contraption actually works. Pretty sure they can figure out a way of converting some of that energy.

A spring loaded (or even gravity dropped) shutter could cut the power entirely within seconds for relatively little cost. Both could be passively activated.

Adam 1

Re: Predicting Problems

Surely a far simpler solution would be to lower the shutters over the mirrors. I should patent the idea. Except it is probably what they actually did. I know, on a mobile device ....

Hypersonic flight test hits Mach 7.5

Adam 1

Re: Wow!

> I'd almost forgotten just how amazingly fast a rocket can actually go

Particularly those that have just seen an Australian spider.

Bold stance: Microsoft says terrorism is bad

Adam 1

Hang on

If they can already figure out the part of the problem that I thought was intractable (freedom fighter or terrorist), surely they can do better than to just shut down access? Why not just replace all the download links with GWX.exe? That'll stop people searching for it.

Hacked in a public space? Thanks, HTTPS

Adam 1

a couple of misleading statements in the article

Firstly, a MitM scenario is what we call "the norm". It is highly unlikely that you have a direct connection from your computer to the server. There are most likely a dozen networks that get traversed. It is not some afterthought that the guys behind HTTPS didn't consider

Being a MitM allows you to 1. Observe and 2. Manipulate any bytes traversing that link. For HTTP, that means that pages can be manipulated and any credentials can be easily obtained. Some popular IT news websites even fail to use HTTPS in their comments if you can imagine that. Equally, mixed HTTPS via a HTTP page is not safe.(eg).

But HTTPS is different. The design of HTTPS is that your browser demands the site prove that it owns a certificate by signing a random challenge issued by the client. The server gives it's public key which can be used to decrypt the response and reveal the original challenge, the certificate is signed by a trusted authority, which hopefully means some diligence was done that the issuer. Without getting a hold of the private key of a CA, or otherwise convincing them that your certificate should be signed, you will either have an invalid signature or a CA that your browser has never heard of. In both cases, your browser will make it known to you that it isn't satisfied.

The theory works, setting aside whether the CAs are trustworthy. The problems are in the implementations. The Apple GOTO fail bug was basically a failure to validate the signature on the certificate. POODLE works by interfering with the negotiations about what algorithms the client and server have in common, and basically tricking them into communicating using a very weak key. That is easily mitigated by either the client or server having a somewhat recent security patch applied.

Sslstrip works by tricking the client into using plain old HTTP while it works as a proxy, talking using HTTPS to the website (HTTPS validates the website identity, not the client identity, and you just gave your credentials to a proxy which is now emulating you.) It's not magical. It is also not going to get past hsts so I seriously doubt a modern browser is going to leak Gmail over HTTP.

Mads Torgersen and Dustin Campbell on the future of C#

Adam 1

Re: Functions returning multiple values.

It's not a mountain different to current techniques like int.TryParse() returning both the success and the value if it was successful or dictionary.TryGetValue returning both whether the object exists in the dictionary and the object itself when it does.

On more than one occasion I have created a class that inherits tuple and named item 1 and 2 via getter methods and named constructor parameters. It works nicely but can be very verbose.

Adam 1

Re: Programming Peter Principle

> Obviously, YMMV but LINQ, the TPL, async/await, yield return (etc.) all make the older alternatives look awkward.)

Perhaps, but it can also hide a bunch of inefficient loops (thinking linq).

I saw the following line a month back

Var myshashset = new hashset<int>();

// Put some numbers in it

if (myhashset.Any(a => a == 5))

DoSomething;

Put a million numbers into your hashset if you want to know why that is such a bad idea.

Another one I saw was two consecutive aggregate functions, which I had to point out to the author that they were iterating their whole dataset twice.

The others though are brilliant.

Reavers! Google patent would affix pedestrians to car hoods

Adam 1

choose your poison

Secondary impacts do cause a lot of injury but the rolling up and over motion also means that the pedestrian isn't absorbing as much of the momentum, lessening the injury. Affixing them will result in much more momentum.

Australian Federal Police say government ignorant of NBN raids

Adam 1

Re: Raises more questions

Let's just hope that senator ICanMakeYouWearRedUnderpantsOnYourHead starts getting a hint about the potential mission creep behind metadata retention laws he previously supported.

Boffins achieve 'breakthrough' in random number generation

Adam 1

It works in a computer game dice roll scenario but not a security scenario. Your possible seed values is minutely small because I have a high probability of guessing your clock time to "within seconds". The default system timer on windows has a resolution approximating 10ms (actually closer to 16ms but 10 makes my math easier). That leaves only 100 possible seed values per second. That is easily brute forced.

Adam 1

Re: I'm no Mathemagician...

So Jeffy,

Explain how one decides the random order of those bits?

Adam 1

Re: Next big question

3. Just return 4

New solar cell breaks efficiency records, turns 34% of light into 'leccy

Adam 1

Re: In terms of watts per dollar...

> A new solar water heating installation costs about £3,000 to £5,000.

That number is either way out of date or exaggerated due to your local geographical, regulatory and supply considerations. Here in Australia you can get 300L systems from AU$3500 installed before rebates, so that drops to around 2.5K retail. Payback vs 27c/kWh is much quicker than in your scenario.

Destroying ransomware business models is not your job, so just pay up

Adam 1

Re: in a way, but

Your process is admirable, but not in the realm of technical capability of Aunt Kath. Remember the comment thread you are replying to basically says that about 3% of disks will fail without any malicious ransomware, so it is hard to have sympathy for those without backups. That's why I think of who the victims are. The average El Reg commentard is too super DevOps skilled to fall for the phishing schemes that deploy this ransomware. But our Aunt Kath will go right ahead. So the people most at risk of infection would have no clue what rsync or hard links mean and the concept of incremental backups isn't even on their radar.

Adam 1

in a way, but

... Ransomware can also permeate into backup media. Some of these things sit there for weeks or months silently encrypting and decrypting on the fly. This may be enough on some cases for all backups to be equally rooted.

Inside Electric Mountain: Britain's biggest rechargeable battery

Adam 1

Re: Now build a few dozen more...

> Renewable energy is pretty much dead in the water as any competent electrical engineer can calculate for you. It doesn't work now and it never will

A brave prediction sir.

Hydro has been with us for a long time. You can make many complaints about its environmental impact and the good sites are already taken, but there is no escaping that it works. It is usually a lot cheaper than coal or nuclear and can be classified as baseload. Also as mentioned in the article, it has by orders of magnitude the fastest cold boot times of any current baseload.

I can completely understand that solar has a somewhat limited benefit in the UK but in other parts of the world we even get sun from time to time.

The price of solar has dropped by orders of magnitude over the past decade. That trend is only going one way. The question longer term isn't whether some baseline can be replaced but rather how much is needed to maintain reliability. With pumped storage as illustrated here, that number can go much further north. Remember that solar doesn't require ongoing fuel costs so there will be a running cost advantage. Once those graphs cross over, it will be nigh impossible to get funding for new projects.

Another important point is that not all demand is inelastic. We just haven't had the levers to discourage behaviour in real time until recently. Whilst lighting, cooking, air con or heating and of course warm beverages are a given, much industrial uses like smelters can be paid to partially shutdown for peak periods.

Time of use "smart meters" are a longer term demand management opportunity. Each EV has a battery pack between about 10 and 60 kWh which again in a longer term can handle fluctuations.

Whilst it isn't all going to change tomorrow, the writing is on the wall.

Adam 1

Re: Great article

> I notice that the article doesn't say how long it can maintain that sort of output

Being in Wales, I suspect that there is a not insubstantial free top up of the top reservoir every other day.