nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

* Posts by Lee D

2894 posts • joined 14 Feb 2013

SQLite creator crucified after code of conduct warns devs to love God, and not kill, commit adultery, steal, curse...

Lee D
Silver badge

To be fair, they would be subject to wear-levelling.

It's just a matter of waiting long enough.

12
0

London flatmate (Julian Assange) sues landlord (government of Ecuador) in human rights spat

Lee D
Silver badge

Re: Ecuador could solve this in about 3 minutes

They really don't need to even do that (and he wouldn't evacuate anyway, would he?).

Just phone the police and say "I invite you to come arrest Mr Assange at your earliest convenience".

The ambassador wouldn't even need to leave their desk.

1
0
Lee D
Silver badge

Data given to his organisation ends up being released unsanitised, putting people's lives at risk and identifying his sources. One source goes to jail for that, another ends up fleeing to Russia to escape.

Court gives the man a chance to be free on bail, he skips it.

Friends of his donate money to secure that bail, he skips on them, losing that money for them.

Ecuador give him asylum (the only place really willing to), he abuses it for years and then tries to sue them.

All I take away (even assuming that the Buzzfeed link with all the crap about his behaviour inside is just hyperbole) is that he's a twat who abuses trust.

And yet, we're supposed to believe this guy is going to be sniped by American agents the second he shows his face?

At one point, very early on, he could have had a message, a cause, a reason to back him. All he's done in the years since is drop other people in it, cause hassle for those who back him, and run from the law that isn't even really chasing him (our police ARE chasing him, but then they have a cast-iron admission of guilt for failing to abide by court bail, in that he's not abided by the court's bail conditions - they don't need to prove anything).

4
3

GitHub.com freezes up as techies race to fix dead data storage gear

Lee D
Silver badge

Re: Cloud based services

It isn't really cloud, though, is it?

Not if one data storage thing going offline causes the whole thing to fall over. It's more like a Drip. Maybe a Puddle.

Whether or not it's "cloud"... where's the failover? And I mean failover, not just "oh, have some stale data and we may be able to restore a backup"... but live storage somewhere else ready to take over. You'd think $7bn might be able to buy something like that, no?

It doesn't matter whether it's cloud or not - it's SHODDY. Storage failures should never get to the point where they affect users, because you should have enough redundant storage mirrored up to date, and via a versioned filesystem so even a "delete all" command can be undone, for it not to matter.

If you're basing your business on their services, immediately review that decision. From the looks of it, they are just running off stale caches at the moment. That might mean they have no data actually up at all.

16
2

Crucial P1 minicard flash drive? Not if you grabbed Intel's 660p

Lee D
Silver badge

Re: I'll never buy another

I bought a bucket of the cheapest Crucial junk SSDs I could find, lobbed them into any machine in work that couldn't take our >4Gb RAM upgrades (which tells you the age of those machines! They run 64-bit WIndows but the motherboard can't take more than 4Gb RAM) - so half the machines are 4Gb with an SSD, the other half are 8Gb with a normal hard drive.

Bear in mind that I *never changed a single option* - none of this caching rubbish, no "tool" running to optimise the SSD, no overprovisioning, no disabling of swap, etc. - literally a byte-for-byte image of whatever was on the same computer before the upgrade...

1) I've not had to replace one in over 4 years.

2) If I did, they are the cheapest things to replace, and literally replaceable because nothing is stored on the HD, just the OS and roaming profiles.

3) They would be much swapping harder than the 8Gb machines.

4) They OUTPERFORM the 8Gb machines, by a large margin. People use them in preference.

5) When I *do* runs the tools, there are zero failures and the estimated life is still 5 years +

6) These machines are hit hard every day, in use all through the working day, way into the evening, and sometime 24 hours a day in some locations. They get dozens of users a day sucking down their entire profile and then pushing back to the server, and doing all kinds in between and "Switch User"ing between half-a-dozen users all the time rather than logging off.

I honestly can't fault them... I have a Samsung in my personal stuff but they were a test to see if they were viable and whether I'd have to replace them every year, and they are still flying. If I had to replace them every year, I really wouldn't care at this point.

P.S. You should never lose data. Literally never. If you can afford one drive, you can afford two half the size and something to RAID between them, even if it's only a pathetic mirroring. And you shouldn't be storing anything critical on any machine that can't do that (we call those clients, they shouldn't be storing files on them and you should be able to code up a bare-metal machine to a working client with all your software and domain in minutes).

Now, if you'd said Seagate and hard drives - I'd be right with you. I burned through EVERY SEAGATE DRIVE in the workplace in that same time. Literally everyone failed, and every RAID resync with more Seagates inside them was a cross-your-fingers-and-check-your-backups moment. Every single drive that failed was Seagate (whether SAS or SATA, client or server or storage). Every Seagate drive has failed.

But the cheapest, junkiest, more useless, sacrificial Crucial SSDs... they are so impressive, I've worked out what I'm upgrading next rather than RAM.

9
1

Party like it's 1989... SVGA code bug haunts VMware's house, lets guests flee to host OS

Lee D
Silver badge

Re: A standard dating back to 1987?

I still contest that a WinTV card plugged into a decent aerial put onto a computer (via the old purple-overlay-on-screen-with-a-cable-passthrough trick) was some of the best quality TV images I'd ever seen. I was enjoying full-screen, smoothed-but-sharpened progressive-and-deinterlaced TV at HD res long before HD was a thing.

Hell, teletext was also a dream - it cached EVERY page of teletext on the entire channel, so you literally clicked around it on the three-digit page numbers like hyperlinks.

8
1
Lee D
Silver badge

Re: A standard dating back to 1987?

Ah, VESA VBE.

UNIVBE and Scitech Display Doctor.

Yes, I remember those days, but I have no idea of the timescale. I do remember, though, having monitors with post-"Standard Definition" resolutions about 15-20 years before people started buying HD TV's.

They never understood why I wasn't at all impressed.

Hell, I remember running... Fractint? In ridiculous resolutions. And a DOS program called "display" (which is non-existent now and impossible to Google) that could utilise those ridiculously high resolutions that monitors were capable of back then. Until you hit the one res that was a little too much and your whole screen spocked out trying to show it (no "Out of Range" messages in those days, just a monitor slowly damaging itself...)

I still have a Philips 105S that I used extensively in those days. It still functions some 20 years later as a CCTV monitor, and the picture is as clear as the first day I turned it on.

18
0

Sure, Europe. Here's our Android suite without Search, Chrome apps. Now pay the Google tax

Lee D
Silver badge

Re: Or the fourth option...

This is always brought up about such things.

The regulators really wouldn't care very much. They get paid either way. And they can claim it's "opening up the market" (which is what you want such regulators to do, really, isn't it?). Also, every Google competitor will jump behind them and claim that they were just protecting "the small guy" and love them for it.

The biggest answer really is "Would you like to lose 50% of your revenue from one of the largest markets in the world?" Often the answer is no. Because people forget that annoying the EU has major ramifications for any international company, because it's often the second biggest market they trade in, if not the first. Nobody's stupid enough to throw away 50% of their worldwide revenue for the sake of a bit of legal work. Did you see company's responses to GDPR? Even US-only companies were diving for cover.

41
2

Virgin Media? More like Virgin Meltdown: Brit broadband ISP falls over amid power drama

Lee D
Silver badge

Re: Not just residential

We have a VM leased line. That stayed up.

We also have a VM-managed, but BT-supplied leased line. That one was down on the timing in the article.

We also have half-a-dozen staff complain that their Internet was "really slow" at home last night (quite what they think I can do about that, I'm not sure!)... almost all of the BT.

I'd be inclined to think that this is at least partly "BT equipment not joining to VM network" rather than just VM on its own - a lot of their connections are now just ordinary BT-resell stuff, not VM at all.

1
1

Web browsers sharpen knives for TLS 1.0, 1.1, tell protocols to dig their own graves for 2019

Lee D
Silver badge

Do me a favour - someone tell the banks and places like BACS.

I'm tired of dealing with their obsolete junk that only works in IE and so on, competing - and incompatible - versions of smartcard software required (one that works in Chrome, one that doesn't, etc. but you can't have both at the same time) and everything else.

The only place I've ever left the services of for not understanding basic online security was a bank.

They really need to get on board and make things easy for their customers, especially business.

10
2

Samsung’s flexible phone: Expect an expensive, half-bendy clamshell

Lee D
Silver badge

Things that a foldable phone fixes:

- Too huge and thin a device in my pocket, compared to a littler, fatter one.

- No accidental screen presses (if I put my phone in my pocket unlocked, I have often come back to all kinds of icons all over the place and deep in the menus and even nearly butt-dialling people).

Things that a foldable phone makes worse:

- Longevity. Any moving part is bad - look at your current phone and name the actual moving parts. For most phones this is quite literally "whatever is inside the accelerometer".

- Screen scratches - now you can trap something inside your phone and scratch the hell out of your screen.

- Ever increasing cost. This stuff ain't going to come cheap.

- Manufacturing faults. I guarantee that within days of release someone will post a photo of one that has half the screen invisible because the bit in the middle failed.

It's a good idea, but until we have a literal materials revolution (i.e. something unscratchable, flexible, durable and touch-compatible enough without being a NASA-grade material), it's not going to be any good.

4
2

Scanning an Exchange server for a virus that spreads via email? What could go wrong?

Lee D
Silver badge

Which is why you ALWAYS exclude any MS SQL, VHD(X)-holding-area, or Exchange database folder from any antivirus scan.

Such "bad-string-search-programs" (as I like to call them) are too dumb to cope with such files half the time, and certainly you don't want the AV holding up or quarantining access to your main hypervisor's VHDX files that are constantly being read from / written to - for a start, just making some AV look inside a VHDX file which can be terabytes large is an incredibly stupid idea anyway, let alone when you're on a machine that has dozens of them. I don't debate that it's a good idea to have the core OS on a server (even a hypervisor) protected by an AV program, though.

Modern software (usually) knows how to deal with such formats (famous last words), but I always put them on the exclusion lists anyway - you just know the one time that it doesn't, it'll take down your system, and any program that can sneak past the AV and plant its stuff in the MS SQL db folder is already a full system compromise anyway, and must have come via another entry point through which they would have been scanned anyway (as things tend not to download to that folder by default!). For me, there's a Sophos server config and a Sophos client config, and the server one excludes any of usual / default folders I store that stuff in, and certainly DOES NOT ever delete files - and the individual emails are handled via Puremessage anyway before they ever hit the Exchange database, and then the database is only scanned by a program that understands its format.

It worries me that people manage systems by just slapping on some AV onto a server without for a second thinking of the potential consequences.

11
0

Yale Weds: Just some system maintenance, nothing to worry about. Yale Thurs: Nobody's smart alarm app works

Lee D
Silver badge

Re: Not Surprised

It's the only reason that locks and British Standards clauses exist.

Nothing is secure. Any front door can be taken down in under 60 seconds, as can any car. What matters is that you can't do *without damage*. Insurers want to see signs of forced entry, or no-payout.

Nobody even tries to pretend that your car is secure. It's a mobile device like any other. That's why we put GPS trackers and stuff on them. But I don't have any involvement with Ford to open my car door. I press a button, or I put the key in the lock, it CANNOT talk home - it doesn't even have any method by which to do so.

The difference is - I'm not relying on my car locks to secure my car from theft. They can't. They secure it from "opportunist" opening of my doors and nicking whatever is in the footwell/centre console. I also don't leave anything in my car overnight. What I do is, I take it out... and put it in the house. Because forcing entry to my house is a) harder, b) more obvious, c) much more likely to attract attention (not just mine, but mine's the only one that matters), d) can't be had as a quick getaway.

But, certainly, my car and my house have something in common - you could easily get in if you really wanted to, but you would have to leave evidence of doing so... and that means my insurance pays out. If the Yale lock decides to just randomly open, or they get hacked and an "open all customer's doors" command is sent, I have precisely zero recourse to my insurers (seriously, read your policy... "forced entry"), though I might be able to sue Yale (though it's unlikely I'd get full compensation for anything that was taken even then... more likely Yale would go bankrupt first!).

0
0
Lee D
Silver badge

Re: Not Surprised

Smart locks are dumb ideas.

But non-mechanical locks are fine. E.g. magnetic strikes, mag-locks, etc. People - and businesses - use them the world over.

The advantages are many: Auditability of access. Alerts on access. Ability to rescind access (try taking a key back from a tenant - you'll end up just changing the locks).

And if you don't "cloud" every-fecking-thing, then it works great. To get in my workplace, you have to force entry. It's that simple. Even if the power goes out, the Internet goes down, etc. then you have to force entry. Except... if you are an authorised user. When you just tag and in you go. The only complicated scenario is a seriously extended power-outage which exhausts ALL the batteries. In which case there is a single method of entry in "fail-open" instead of "fail-secure", which is protected by a physical key. Thus entry can be made only by the genuine people even in absolute power-failure for weeks on end.

What you don't do is have this smartphone-connected junk or, if you're going to have that, you remote-access your secure internal systems via a proper method, not a junky smartphone app that relies on Yale. What you do is VPN into your own system and access it directly. If someone works out how to get into your VPN, it's already game over anyway, presumably. And you can do that from a smartphone really easily.

It's a matter of "design", not the tools you use in that design. You have to consider what happens in every circumstance, not just "I'll assume this will always work".

The other thing is - can this Yale lock, in theory, lock you in the house? Because that's a death-in-a-fire waiting to happen.

12
0
Lee D
Silver badge

Re: If this guy has chosen not to install one of those ...

Then he probably wouldn't say "my property" and would probably be yelling at his landlord, instead of Yale.

9
0
Lee D
Silver badge

"I’m an engineer, I work in IT, this is not acceptable. Who signed this work off? What was the rollback plan ? Call yourselves a security company ? Shameful. @BBCBreaking @Channel4News @BBCRadio4 @CNN @Reuters here is a story for you! I can’t enter my property I only have the App!"

Gosh. You'd think a guy who worked in IT would understand the importance of a way to enter when the app went down, really wouldn't you? I mean, backups and resiliency, and all that. I wonder if he even has two Internet connections at home in case one fails and he can't get back in?

People like this annoy me greatly - I work in IT and though Yale might be damn shoddy, for sure I wouldn't be embarrassing myself saying "I have no other way to get into my property except a smartphone app dependent on a third-party". For a start, I'd have a manual key lock or a bypass code on a secondary lock that overrode it, even if I never really needed to use it.

27
0

Powerful forces, bodily fluids – it's all in a day's work

Lee D
Silver badge

Re: Monitor

"Clearly the above commentators have never had the fun* of having their 'known good' hardware killed by whatever was causing the original problem."

So you mean.... you change one part. No change. Then you have to move your diagnosis further up the chain, until you find a dodgy item (i.e. a PSU that doesn't work on TWO motherboards, or that you swap out and it powers up), or until you *test* an item more than a quick check of "does it function immediately and perfectly in all regards"... by, say, sticking a PSU tester on it.

I have in fact had MUCH more complex diagnoses than that (recently someone put a digger through a 450KW supply cable and blew up £20,000 of hardware, that we restored by diagnosing and replacing only £3000 of parts that were ACTUALLY faulty). And you ALWAYS start with the same diagnosis. In that scenario. I wouldn't have got through more than two motherboards or PSUs before I suspected a much more serious problem. In fact, likely one PSU and maybe two motherboards - when the known-good MB is replaced on the same PSU and doesn't work, I'd suspect the PSU, replace that, and then when that didn't work, I'd go once up the chain (checking the power sockets and cables by using a known-good one of those).

Then when you know that it's the MB/PSU end / combination that's at fault... pull both, check one level up to make sure the power isn't blowing the PSUs, put something else in place, allow the user to continue work, and then carry on your diagnosis of the faulty parts back in the IT office (e.g. with a £10 PSU tester) before you do any more damage. In fact, at that point, I'd put the previously-known-good MB back on a known-good PSU, realise that it must have actually BROKE during testing despite being known-good, and ditch the PSU that did it, testing it only for curiosity.

Four PSUs and three motherboards again reeks of "I didn't narrow it down sufficiently and just kept guessing / throwing hardware at the problem".

Honestly, the second the "obvious" swaps don't work, I'm replacing the entire kit to shut the user up, breaking out multimeters and testers back in the office (where there's an isolated mains and network circuit, because you are playing with 240v and PSUs!). There's a reason I have a drawer full of nothing but cheap PoE testers, mains socket testers, multimeters, PSU testers, network cable testers, battery testers, discriminating continuity testers, telephone line testers, etc. And that drawer cost me an awful lot less than even the price of the cheapest replacement motherboard. (I am not one of these people who wants/needs £1000 high-tech testers... if it doesn't pass a basic test I don't want it, and if it needs £1000 of tester to tell you if it works, but £50 to replace it, I'll just replace it.).

P.S. Yes, we do all our own cabling. We manage and repair all the PCs and devices on-site. Hell, we do the CCTV, access control, and everything else you can imagine ourselves. We do not have a huge stock of spares (currently about 0.1% of the deployed hardware) or parts. I don't have a huge test suite or dozens of techs - 1 per 500 devices. I don't have a stupendous budget, or warranty support etc. on anything but the server-side. The way we cope (more than comfortably) is by proper diagnosis.

16
9
Lee D
Silver badge

Re: Monitor

Because "elimination" is not in most IT guy's diagnostic process.

Yes, it drives me mad too.

The other is when they "eliminate" something, then for some mysterious reason proceed to return to it and eliminate it several more times after exhausting themselves on other things because they don't have the nous to go further down the line and/or imagine a test that would isolate the cause.

"X isn't on the network".

Okay... ping it. Is it turned on? Is it cabled in? Is the cable in the wall? Is the cable good? Is the wall cabling good? Is the wall socket good? Is the other end patched in? Is the switch working? Is that switch connected upstream? Is that switch port configured properly (e.g. VLANs, MAC filtering, etc.)? Is that actually the IP assigned to the device? ...

All these things are "simple" and obvious for an IT guy, or should be. But I've watched supposed IT professionals stare mystified because "obviously the wall cabling must be good" despite the fact that they haven't bothered to test any of it by even the simple precept of putting something else on the cable.

I've literally sent technicians back repeatedly for nearly 6 hours straight because a device wasn't online despite being powered up and working... only to then have to go do it myself and discovering that the cable between the device and the wall was faulty. Replace the cable, everything came up. They literally didn't bother to eliminate along the path, instead stabbing at random at causes, rebooting switches, etc. The reason I kept sending them back was to teach the lesson - you can waste an entire day just stabbing at causes and making yourself look an idiot... or you can apply a proper diagnostic process in a linear fashion until you find the cause (or, even, multiple causes).

The value of diagnostic thinking is greater than you think.

95
4

Microsoft Windows 10 October update giving HP users BSOD

Lee D
Silver badge

Re: IPV6

Sounds like a good way to make sure you don't use Edge or Windows Store to me.

Noted for if/when I ever upgrade to Windows 10... turn off IPv6...

4
0
Lee D
Silver badge

Hey, it's almost like you should wait until the user is at a point that they feel confident they have backups of the system and everything they need before you push updates to them.

Almost like... you know... you should ask the user. "Hey, I'd like to update now... are you ready?" rather than just forcing it through anyway.

Hell, maybe even a 30-day "Have you backed up yet?" nag might not be enough... maybe they are desperately trying to get the system backed up to a sufficient state, and are struggling to do so as a home user on an OS with PRECISELY ZERO GUIDANCE on how to do just that, or restore it if it goes wrong. So maybe someone should a) ask them to backup, including asking them if they'd like to see the backup tools available, b) not proceed with an update until a backup has been taken and verified, c) not proceed with an update until the user has said "Yes, I have adequate backups" no matter how long that takes.

And maybe, just maybe, put an System Restore feature into the SO that actually fecking works?

Gosh, I wonder what the easiest solution would be to this dilemma if you don't want to hand-hold your users through this, but also don't want to trash their systems by updating before they've managed to take a backup.

I don't know... allow them to indefinitely postpone updates maybe?

6
0

Here you go, cloudy admins: Google emits NATty odds 'n' sods

Lee D
Silver badge

Re: Still amazes me how oblivious/stupid some companies are

Once they're inside, how they get the data out is really a secondary concern. NAT isn't going to help them or hinder them.

But a default-allow on outbound packets is the silly thing. Possibly acceptable for a home machine, certainly not for any major service.

1
1

Samsung Galaxy A9: Mid-range bruiser that takes the fight to Huawei

Lee D
Silver badge

- Non-removable battery.

- Costs more than most cars I've owned (and they've always lasted longer than a year, up to 10 in some cases) and certainly more than I've ever paid for every phone I've ever owned collectively.

- Four cameras? I mean.. .why?

- No waterproofing or wireless charging - I'm cool with that. If only that had saved some money, eh? It's almost like it's a freebie that costs nothing that they throw in as "another feature" on all those other phones...

Hell, I can't even justify the junk that is the J6 for £199.

And they wonder why they don't own the market?

5
0

PINs and needled: Experian site blabbed codes to unlock credit accounts for fraudsters

Lee D
Silver badge

Re: Can someone tell me why?

There's no such thing as a credit score.

It's literally a number made up by a single entity, and has no standardisation or correlation to any other number. You can't compare them, you can't predict them, you can't even choose a threshold (GDPR says that a human must now evaluate if the customer demands, not a computer score). They are literally a fabrication and any website that claims to tell you your credit score is no different one telling you how many you rate out of ten on the sexiness scale.

As such, no credit decision is taken on the basis of "at least 900 on your credit score". It doesn't exist like that, and isn't processed like that, and when you do a minimal/statutory/DPA request from the credit agency, that number never appears.

Because the data they hold (what you pay for, when you pay it, how much you owe to whom) is the data that decisions are based on and every single credit-giving entity has their own criteria based on that data that has nothing to do with the credit reference agencies or any made-up "score".

The reason they won't lend to someone like you with 999/999 is precisely stated in your comment: You don't have any credit, and "You're never missed a payment". You're not profitable to them. And even no credit history at all is a red-flag so they won't lend to anyone who doesn't already have some form of credit history. It's a reputation score of "would he pay me back" - when someone who's never needed credit in their life suddenly asks for a loan, the risk is enormous - you have no idea if they're just gonna cut-and-run.

I made my "score" on one website drop from 700 to 100 by asking for a Vodafone SIM three times, and never receiving / activating any of them. Literally, I did nothing else, owe nobody any money, never even got to give payment details but "multiple credit requests" is considered a sign of desperation, so they hurt you for it so they don't put themselves at risk.

Credit scores are made-up nonsense. Credit references are basically subjective and there to profit companies giving credit. Actual credit for daily life shouldn't be required except for the major unaffordable items (housing is about the only thing). That someone asks for credit for home or car insurance - that's a red-flag. They can't afford to pay an annual lump sum, but they're keeping their car in good nick are they? Credit shouldn't be required for that. But we've taught our kids that that's okay (I blame Direct Debit a bit, but most essential DD's are actually zero-interest and cheaper than the annual payment). Telephones and mobile - I covered that. No. Buy.

But in all these other places you're ASKING for credit, when you could operate without credit. You're asking the gas company to lend you £200 for gas and you'll "pay them back next month". That's what you're doing. It's perfectly justified but also not strictly necessary. Nowadays pre-pay with a smart meter means you are on a monthly recurring pre-pay "contract" that you can cancel at any time and never get into debt for. That's no worse than a DD of credit on your account, in effect.

I'm not saying it's not the norm. I'm saying all those things - apart form housing - you do actually have a choice on, but instead choose to pay money to credit reference agencies and credit middle-men who are paying for your car / phone / etc. and then taking their percentage on top.

100 years ago, you literally didn't have a choice. You had the money or not, and lenders were not to be used for minor things. Nowadays, every 18-year-old fights for a credit card, phone contract, monthly car insurance deal, car finance, etc. the second they are of age to do so. Sorry... no sympathy.

(P.S. I have credit agreements. I'm no martyr here. But I do everything I can to ensure they're affordable, as well as ensure they are necessary and that I have a backup plan should something happen - lose my job, etc. And, no, that doesn't mean payment protection insurance! If you said to me tomorrow that you're cancelling all my credit agreements that I have in place... you'd take my car from me and have to give me back more than enough to buy several new cars, or I could dip into what I have and buy it from you - and even that is *literally* because I was forced to move out and live on my own, doubling my expenditure, and therefore spending the money I had put aside to pay off the rest of the car... halfway through the credit term).

0
0
Lee D
Silver badge

Re: Can someone tell me why?

I'll give you the "ability to get a place to live", because credit checks are done on both renters and people taking a mortgage.

However, EVERYTHING else you state is either a) optional in that process or b) you expecting people to give you free money to do so.

To get a mobile phone? Nope. I have one. No credit check. I bought it.

To get a phone connection? Nope. I have one. No credit check.

To get a credit card? Yes. To get a card that functions like a credit card? No.

What I'll add to your list is "bank account" but - again - you don't really need them unless you want them to give you free money - overdraft or loans.

If you want people to give you free money, yes, that person will use a service like this to check who you are.

If you don't want people to give you free money, you don't interact with them.

And the only time the average person NEEDS (not chooses to) someone to give them free money is... when applying for a mortgage or possibly a rental agreement.

I hate them with a vengeance, and credit ratings are the most backwards things I've ever seen in my life. But the way to stop them is to NOT borrow money, and then pay them the interest for having done so. Then they lose not only your applications to them, but also all the money they would have made from you.

That we live in a society where people are perfectly happy to give away their information and sign up to a loan in order to purchase an over-priced luxury that they use barely 1/10th of its capabilities... that's just a sign of the times. There are perfectly viable alternatives called "save up" / "buy outright" / "live within your means".

6
1

You can hear a PIN drop... All quiet on the mobile broadband speed front, says network watcher OpenSignal

Lee D
Silver badge

Re: <Title is optional>

Could just as easily be better backhaul, or more towers, or just better prioritisation.

They're never going to know from crowd-sourced data, and the mobile operators aren't going to discuss internal technical affairs.

To be honest, speed isn't so much an issue. I'd happily halve my "max speed" if I could more data for the same price.

On a Three mobile broadband SIM, I get more than enough bandwidth even at peak periods to watch all my telly over it, what I don't get is enough data to cover what I want to do.

And Vodafone (the only people who give more data) are still too stupid to allow me to order a SIM despite the fact that they have a better deal with all the TV channels and big websites not counting towards your data allowance. I can't do anything on two accounts I "registered" and ordered a SIM on until I activate the SIM, but haven't seen any SIMs at all, and signing up with another email just starts the process again.

(P.S. No, just because you have a 100Gb SIM does not mean that you can tether / mobile broadband for 100Gb, and I use my SIM as a broadband replacement for the home network, not watching all my TV/movies on tiny phone screens tied into 36 month contracts).

But the fact that I can use a 4G SIM in a cheap Huawei box off Amazon to run my entire household is pretty impressive and shows you that the "max speed" doesn't really mean much nowadays. Even my Steam downloads happen just as fast as when I used to have a broadband line.

1
3

Apache OpenOffice, the Schrodinger's app: No one knows if it's dead or alive, no one really wants to look inside

Lee D
Silver badge

RHEL is always behind the times.

RHEL 6 is based on Fedora 12 from 2010.

If RHEL don't support it - then they don't support it and you're on your own.

Fact is, they support older versions only.

Blame RHEL, not OO (and I'm no fan of OO!), and take that blame and use it to influence your decision next time you use / pay for a distro (i.e. go to ANY of the other distros that supports the full version of modern OO if that's what you want...)

1
0
Lee D
Silver badge

This is what happens when you tell developers who are working for free to "get on board with our methods or bugger off".

They have a tendency to bugger off and not come back. Or, in this case, bugger off, make something better, steal your entire userbase and then laugh at you.

Sorry, but AOO is dead. Oracle killed it many years ago. LO gets updates all the time with significant feature changes and constant evolution.

I actually JUDGE the Apache project people for allowing it to a) happen, b) continue, c) be endorsed, d) continuing to distribute the old crap codebase that people can barely compile.

Almost the first few months of LO's existence was "rip out all the rubbish and put in a normal build system". It wasn't until they did that that anyone contributed anything useful. They then spent many years translating obscure German code comments and ripping out code that did nothing and did it badly.

26
2

World's largest CCTV maker leaves at least 9 million cameras open to public viewing

Lee D
Silver badge

Re: Security? We've heard of it.

"Regardless of all the stuff about VLANs, you could check out the building remotely and use the information to find out the best route and time to break in, and delete the evidence afterwards."

No, you just wear a balaclava. Done.

Nobody in their right mind will break into a building and then try to hunt/destroy the cameras. Mostly because they'll almost always be synced to off-site storage, cameras often comes with SD cards inside to double-record all footage nowadays, and the actual reliance on "roll the camera back" is fading fast in favour of "the camera just texts me when it detects movement on an internal camera, with a copy of the last 30 seconds of the footage" (note: all perfectly viable without third-party cloud servers).

Honestly, if it's an average private home, the police don't even have the time to obtain footage and unless they pull up with their car number plate facing the camera, or look up into the camera, you stand precisely 0% chance of identifying them. (Source: Three police incidents of burgled neighbours with captured footage of vehicles and burglars).

If it's any property that you need to keep more secure, that footage is stored in a secure location and mirrored (you tell me where that network cable I plugged into the camera is actually recording TO... could be anywhere in the world, synced to an off-site backup, sitting in a cabinet anywhere on site, accessed live over a VPN, etc. etc. etc.). You'd have to smash all the cameras you passed (which is why they are vandal resistant), pull them off the wall, destroy the cards inside them, find the NVR (or NVRs!) on-site, destroy them too, and hope that in all that time it never got to send out a single message, alert, alarm signal, footage or backup off site.

P.S. any modern NVR has "camera blackout" alerts that can detect obscured / disconnected cameras and alert you in a number of ways. You have from the time you smash the first camera, until the time the security company van arrives to destroy all traces of the CCTV system.

P.P.S. CCTV is not there to roll back and see what people did. That's just one function. It's there to alert someone to something unusual. Like burglar alarms - there's no point getting home and the light is flashing and it's been going off all night and everyone ignored it. At that point you KNOW you've been burgled. You fit a burglar alarm to alert someone who'll do something about it quickly - like your neighbour (highly unlikely), a security firm (better, but expensive), the police (yeah, right, they don't even come out for persistently-ringing alarms any more, they tell you to call Noise Abatement), or... the best option in the world... you. By texting your phone and saying "Internal camera detected movement" or "Lost contact with Front Camera".

You have to notify the only person in the world who care about your property - which is you. That's the function of CCTV, burglar alarms, car alarms and anything else. Everything else you might "think" will happen is a nonsense. I hear a car/house alarm literally every night. I do precisely zip about them. As do all my neighbours. (Source: three house burglaries, nobody "heard anything", several site intrusions, vandalism, burglaries, thefts, not a single one caught in the act or discovered until the next morning).

I supply CCTV footage from large sites to police. Pretty much, it's useless and nothing comes from it. (Source: Three house burglaries, plus dozens of site burglaries and vandalism: convictions - zero, arrests - one [a teacher that was arrested for restraining a teenager from beating his mate up, I kid you not, the guy was never able to work in a school again], time spent - literally MONTHS of hunting footage).

The reason it's on the wall is so that people can see we're watching, and so that the guy who's in charge of the site at night can see whether the banging outside is a gang of kids, or a loose fence panel before he puts himself in harm's way. I guarantee if there's someone actually doing something, he will call the police, but only after he checks the LIVE footage. The historical footage is there for a court many months in the future, if necessary, and is usually so pitiful as to be useless.

If you don't know this, I suggest that you've never managed CCTV or been asked to provide footage to police after an incident. Note also: Approximately 70-80% of the thefts, break-ins, vandalism, intrusions, etc. that I've ever dealt with in my professional life - there is ZERO CCTV footage, even with dozens and dozens of cameras around all the places I've worked.

5
0
Lee D
Silver badge

Re: sure no one is watching

"Researchers find way to tweak CCTV camera IR LED's to 'see through' Post-It notes".

8
0
Lee D
Silver badge

Re: Security? We've heard of it.

To be honest - for home use, yes, that's pretty devastating.

For anywhere that matters - are you really allowing your cameras on the same VLAN as anything other than other cameras? Are you really giving that VLAN Internet access? And do you really need to allow viewing of those cameras remotely from random IPs requiring port-forwarding etc. that you couldn't just do over an approved VPN to the right VLAN?

The kit is dodgy, whether it's £2000 big-name cameras or £20 Amazon specials, it shouldn't need to talk out like this at all, and thus you shouldn't let it. If you don't let it, it can't be used as a launching-off point to the rest of the network even if entirely compromised, and can't be found just by trawling the Internet for open-ports.

Hell, my own users can't ever get to the point where they can see the cameras on the network themselves, or any of the NVRs. They can only connect to a single machine which straddles the CCTV VLAN and provides them access via a logged and audited relaying portal which then mirrors some of the RTSP streams that the NVR provides from the cameras it records 24/7.

The IoT problem is as much about people just throwing stuff on their systems as if it'll magically configure itself securely as it is about devices coming with poor defaults and dodgy cloud portals.

15
1

Microsoft deletes deleterious file deletion bug from Windows 10 October 2018 Update

Lee D
Silver badge

If they hadn't allowed every-man-and-his-dog to trash my My Documents folders so that it more resembles a list of every manufacturer's idea of what to call their product folder, with no useful files to me in any of them, and which stay there forever, maybe people would actually use it.

And maybe you could do proper user-data / program-data separation such that programs NEVER have a need to iterate or access such folders and the user can choose what they do with their own data and how to organise it completely outside the scope of where a particular program feels it should shove "My Cyberlink DVD Projects", etc.

We need to move to a container-style where programs each have two folders: Program Data. User Data. Anything saved in User Data *CAN* be accessed by the user, but the program can NEVER access any other file the user has. The user only ever sees a collated list of User Data for all programs that they CHOOSE to see (i.e. I don't care about seeing my Cyberlink DVD projects as I only ever access them from Cyberlink software, etc.) - kinda like "Add to My Drive" / "Shared With Me" in Google Drive. I mean... this is what all the Documents and indexing junk in Windows is SUPPOSED TO BE FOR.

Similarly if the program then can only access the data it's GIVEN by the user, and the data it creates itself, it can't trash stuff or snoop into everything in My Documents (as it can currently do). Removing the program is a simple choice - delete the Program only, or the Program and the Data? Done. Gone. No traces. Finished. Out of here.

Then the OS would NEVER have to mess with user files, redirects or anything else. The programs wouldn't be able to either. And I'd have a single storage for any of 20+ locations I choose to put things if I forget where I put them, without them cluttering up with everything from My Music to a folder for every damn program I've ever opened.

Hell, use your brain and the registry could work the same way. And you could literally run a program and NOT give, say, GTA V access to all your CAD documents, where one slip of a temp-file removal code or a bit of macro could wipe out everything you've ever stored. How amazing would that be?

We honestly still don't design software or computers properly. There's literally no need for this - and we still do it on Windows, Linux, Mac and Android (Android, ironically, gets closer than most!).

Program in one folder. Data it creates / requests in another folder. Do it properly and they're nothing more than hard-links to the real file or even copy-on-write links so that even if program X thinks it's trashing your hard drive, it actually isn't, only it's own view of it. Use things like Redirection, Shadow Copies and Indexing properly and you ever get an "immutable" user space that you can give to programs and roll-back when they mess up, while your documents were always safe and sound.

Do it *really properly* and you could even fake "Yeah, let this program think it's on the net / accessing my files / modifying the registry for real but just emulate the changes inside a container for it" for compatibility with those programs that feel they MUST be able to write to C:\

4
5
Lee D
Silver badge

Re: *** Be careful *** Also new in 1809, changes to Disk Cleanup Tool,

Except if you had OneDrive and AutoSave it similarly trashed files.

Never attribute to malice what can be explained by sheer idiocy.

(For a start, why physically delete those files rather than "Recycle Bin" them?)

24
0

On the third day of Windows Microsoft gave to me: A file-munching run of DELTREE

Lee D
Silver badge

Yeah, you remember that "we'll push updates automatically and you won't get a choice in the matter thing"? Yeah, that's when I stopped upgrading.

I can only imagine why that was, and what I could have foreseen happening in that respect, and what I said would happen when they stop doing in-house testing and start using the world as a guineau pig.

P.S. Not the first Windows 10 upgrade/update that I've heard of that just trashes the user profile. I have at least three documented cases of people upgrading from 7 or 8 to 10 from the forced update and then discovering that there was nothing left in their documents folders.

And, of course, they didn't get a chance at a rollback or to say "go away, so I can backup everything in my own time" before it was foisted upon them.

32
0

Wi-Fi Alliance ditches 802.11 spec codes for consumer-friendly naming scheme

Lee D
Silver badge

Re: If it is not broken...

Exactly.

We should have stuck with the original naming scheme.

802.11 a, b, ...

Like all naming scheme, it started out well, then ended up in a mess of non-intuitive junk (g, n... is ac better or worse than a?), then has logic re-applied to it when people realise that it's just stupid.

CONSECUTIVE INTEGERS, or letters if you prefer. Minor versions being near-consecutive decimal upgrades to the existing version (i.e. either consecutive 10ths or 100ths depending on the "size" of the update... 3.1, 3.2, 3.3, or 3.3.1 being a minor update to 3.3).

Any other version naming scheme is a nonsense - excluding minor versions (e.g. 98SE, etc.), and often cycles back to common sense.

Windows: 1, 2, 3, 95, 98, NT/2000, XP, Vista, 7, 8, 10...

Office: 1, 2, 3, 4, 95, 97, 2000, XP, 2003, 2007, 2010, 2013, 2016, 2019... (not even including some Mac, etc. versions!)

Linux: 1, 2, 3, 4.

There's no need for it. Even 2G/3G/4G recognises this. Nobody cares about LTE, HSDPA etc. they just want to know if it's one of the "new lot" or not. 4G > 3G > 2G > "G".

Anything else is literally marketing gumph designed to mislead, confuse and obsolete. It's even mocked - no movie sequel is ever anything more than "Movie 2", "Movie 3", unless it's literally taking the piss: Naked Gun 33 1/3rd.

19
7

Free for every Reg reader – and everyone else, too: Arm Cortex-M CPUs for Xilinx FPGAs

Lee D
Silver badge

Isn't the Cortex M3 the chip used in the Arduino devices?

https://en.wikipedia.org/wiki/ARM_Cortex-M#Cortex-M3

Basically, this means you can make an Arduino-compatible board from an open-core processor.

That's a pretty big plus for the hobbyist electronics people.

0
0

Location, location, location... technologies under the microscope

Lee D
Silver badge

Re: BlueTooth? No Thanks

Even most people who have bluetooth don't have it enabled to be always-visible, hence they don't get pairing requests anyway. So they can listen to their bluetooth headphones, join to their car's bluetooth, etc. without ever caring about those people trying to spam them over bluetooth.

10
0
Lee D
Silver badge

Not without me accepting a pairing request, and pretty much I don't have pairing requests enabled unless *I'm* the person trying to add a device.

Also: What's the point? Hey, guy just about to buy a bottle of ketchup. Here... have an offer and make that ketchup cheaper so we make less money? I don't get it. Or you could just put a barcode in the ketchup aisle if you want to do an offer on a particular brand (hey, put a screen in there and you can change the offer as often as you like).

Maybe some Bluetooth passive monitoring but, again, what's the point? This guy lingered in the ketchup aisle for 20 seconds and then bought some ketchup. You can pretty much tell the important part of that from the checkout receipt anyway, can't you?

I remember studies saying that, pretty much, all the brand loyalty cards, etc. doesn't really give anyone that much information that they don't already know. ASDA (Walmart) - one of the largest - don't even have one, do they? You know what goes through your tills, when, and in combination with which other items down to the last iota nowadays, surely? The value in anything further is pretty minimal, just joining someone to their previous transactions on a voluntary basis rather than, say, matching on credit card.

Pretty much spamming someone who's ALREADY in your shopping mall / store is a pretty dumb idea and just going to drive people away.

7
0

VirusTotal slips on biz suit, says Google's daddy will help the search for nasties

Lee D
Silver badge

Re: so..

Because licensing VT for such use would likely be very expensive.

It's not about "can you", it's about "how much does it cost".

How much did you pay for your browser? How much would you be willing to pay "per download" that you use it to do?

Precisely.

0
0

Sync your teeth into power browser Vivaldi's largest update so far

Lee D
Silver badge

Re: Good news

Chromium then.

Even has auditable source code.

3
1
Lee D
Silver badge

Re: Good news

Same.

I've given up waiting really. I just need a mail client as I've got used to using Opera for mail/RSS and Vivaldi/Chrome as browser - I'd love to have them integrated but it's never going to happen now.

In that circumstance, Vivaldi offers me nothing spectacular at all over Chrome, so it'll likely be ditched. I had it and used it BECAUSE of the promises of getting the Opera-like mail integration and it's been years and there hasn't even been a single step in that direction and it looks like they want me to use a web-based Vivaldi-branded mail now.

Bye lads. I'd have paid like I did for Opera. But you are most interested with changing the logos/icons (three times in two years) than you are actually actually functionality that makes you different from "Chrome + some extensions".

1
9

Perfect timing for a two-bank TITSUP: Totally Inexcusable They've Stuffed Up Payday

Lee D
Silver badge

Re: Rather that waste time tweeting...

"And then you need to jump through hoops to get your company payroll to acknowledge your new account, keep both open at least until the next payday to play "which account gets paid?" lottery, transfer money from one to the other, wait the requisite 2 days for a bank-to-bank transfer etc."

No... Current Account Switch Guarantee includes:

"Redirect any payments accidentally made to your old account and get the sender to correct your details"

So no... you switch, close the account, done. Not saying it's 100% perfect, but the only thing stopping you is your own paranoia about "what if my old bank..." which is exactly why you should switch away from them.

8
0
Lee D
Silver badge

Exactly. Vote with your feet.

I have eliminated most of the high-street banks that way. The one that survives has only had stuff that doesn't affect me (e.g. business banking problems), etc.

However I also have a few of the more niche players on the sidelines ready to move all my accounts to if I should get disillusioned.

8
0
Lee D
Silver badge

Re: Rather that waste time tweeting...

Not really.

Current Account Switch Guarantee.

Go to new bank. Sign up. Instruct them to move your account over. They have a required number of days in which to do it, including all your existing payment arrangements.

Including business accounts.

If you're still with TSB now, I judge you.

42
0

Attempt to clean up tech area has shocking effect on kit

Lee D
Silver badge

Re: Electrifying

In a school. One of the offices has a fuseboard that kept popping. We had electrical problems all over because we just kept expanding and expanding, but we slowly eliminated all the causes (things like crossed-phases on a two-plug heated canteen trolley, etc.) and got them fixed.

But one continued to baffle me - when the office woman put her fan on, sometimes the fuse popped. But not immediately. Often some hours after being plugged in. Even when there was nothing else on the circuit. It took months to narrow it down to the fan and I still kept thinking the fan was faulty somehow, but it always checked out and worked fine elsewhere.

Traced the problem eventually. Someone had re-wired the plug on the extension lead at some point and got it back-to-front and got the brown and blue mixed up - the PCs and printers wired into it didn't care. But the fan somehow did*. I was always amazed that it lasted that long, that such a low-wattage item could take out the whole circuit, and that it would run happily for days at a time without popping.

Rewired the extension lead properly, and everything has been good since.

(*maybe because it was a metal guard on the fan if it spun and touched something that was earthed? I don't know, I can't imagine that the fan guards are electrically connected at all, and the earth pins were fine).

13
0

Your specialist subject? The bleedin' obvious... Feds warn of RDP woe

Lee D
Silver badge

Re: Hard not to agree...

I run RDP through an IPS system, it then goes to a limited machine that's only used for RDP clients, where they are asked to login via a brute-force protected login, using an AD account that would give them credentials enough to log into webmail or other services anyway. That then not only notify logins to a monitored account, but also challenges them for 2FA (using multiOTP) before they can actually proceed with the login.

Even "in theory" complete compromise of the underlying machine gives you - access to a client machine. It's not a server. It's literally a client image. If you do proper RDP-farm Terminal Server VM's, that machine is nothing more than a clean-imaged client VM every single time you log in with no history / other user's present on that VM.

People who use RDP for administration - yes, that's different and you want to remove that visibility at all. But TS access to clients, you can log it - it's just like that authenticated client logging into any other machine. No matter WHAT their remote machine has installed and listening on it, or the state of their local network.

0
0
Lee D
Silver badge

Re: re: sucking data

But you can do nothing that you couldn't do INSIDE the network, on a machine, as that same user.

If the software doesn't let you export that data, or copy to clipboard, then you're literally into screenshot territory. Plus all your monitoring, auditing, etc. software is there installed on the machine that's being copied from, not to mention you could in theory be monitoring that session.

VPN, that's not true. It's just network access.

RDP to servers, etc. yes you want to limit to administrators only via secured channels. But general users over RDP inside limited VM's? So much safer than a VPN for the same users.

0
0
Lee D
Silver badge

I'm not convinced.

RDP = "look at this picture of secured and configured internal system that is compliant to all our policies" and if you disable file sharing "no, you can't just suck the network data out of the connection".

VPN = "send whatever traffic you like down our wires from whatever machine you might want to, which might have anything on it and might pull any traffic or data is sees".

RDP can also be secured against non-protocol problems (e.g. brute-force password attacks, etc.) using 2FA, and "protocol" vulnerabilities are rare and patched against.

I still think the attack surface of RDP is not only much lower, but much easier to secure, much less damaging and keeps everything internal - your data is less likely to wander off without a trace. Imagine: A rogue program on someone's machine gets access to their remote access method. There's credit-card info of a million customers there. You discover that. Now you need to make a disclosure.

With RDP - it's whatever that session accessed, as that user, over whatever programs are available, on what could be a freshly-imaged VM (basic terminal server functionality in Server editions allow you to wipe a bunch of VM back to image and use a new one for each connection that comes in) inside a session, and then - whatever method it used to extract and distribute that data using whatever programs are available on that VM only.

With VPN - that's a complete traffic trace (if you could even store that amount of data) and a huge amount of potential access to internal systems.

And both have flaws, need patches and can be badly configured.

"Show me a picture of a machine like one I use in work" will always seem less damaging than "join me to your entire network" (even if you put in firewall controls, etc., if they are to access a shared drive, you're allowing the CIFS ports and traffic, and bang you've opened up whole new classes of vulnerabilities). If you're using RDP, you need to hope that the remote machine is even *capable* of executing the program you want to use to steal information, and that they haven't whitelisted the software on those machines such that you can't even try to plant a virus or email yourself an executable, etc.

3
4

Android Phones are 10: For once, Google won fair and square

Lee D
Silver badge

Amazon deals - unknown make and model - I think one was an "Opera" tablet (yeah, that was just the brand-name they emblazoned on the back). The other was a managed kid's smartphone that was just Android which some MDM and control apps. Same place - Amazon, random brand (but can't tell you which one as my kid has it over in Spain nowadays!).

2
0
Lee D
Silver badge

Android won because iPhones are stupidly expensive.

Not because Android was "free" because it wasn't, and it certainly isn't by the time it gets to the consumer.

The reason Android is 90% of the market is that they can literally be 10% (or even less) of the cost of the iPhone or iPad, brand new. Simple as that.

(Holds a £10 Android 7" tablet in his hands. Bought from brand-new. Works fine. Once bought a £20 Android kid's smartphone. Bought from brand-new. Works fine. Looks at the stack of iPhone screen repair tools in his office - costs £50-70 each time you break it. And that's just the screen)

88
1

'Incommunicado' Assange anoints new WikiLeaks editor in chief

Lee D
Silver badge

"arbitrarily detained"

To detain:

- keep (someone) from proceeding by holding them back or making claims on their attention.

- keep (someone) in official custody, typically for questioning about a crime or in a politically sensitive situation.

- officially seize and hold (goods).

None of the above are applicable to Mr Assange. He is not being held back by the Ecuadorians, or in official custody, or being seized or held.

In fact, being where he is is STOPPING him being in custody, which is kind of the problem.

Sorry, Jules, it's really time to come out because even the Ecuadorians are sick of you now.

25
2

The Register - Independent news and views for the tech community. Part of Situation Publishing