nav search
Data Center Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

* Posts by DropBear

3891 posts • joined 4 Mar 2013

'90s hacker collective man turned infosec VIP: Internet security hasn't improved in 20 years

DropBear
Silver badge

It's easy to pin this on the Big Bad Companies more than willing to take your money peddling sub-par unfinished wares left and right - and they totally do deserve everything they get blamed for and more; but the truth is* all their cost-cutting and greed contributes to the problem of insecure software only peripherally - it does not create it.

Simply put, I don't think there's any field of human endeavour where piled-up complexity is comparable even within orders of magnitude with what is happening inside computers today; and it has long ago reached and far exceeded the limit of what we - or the tools we were able to create - can cope with.

Once it was feasible to write a piece of code on a Spectrum that did all you wanted done and exactly that, without any bugs. It was incredibly hard, but it could be done. It still can be done with a microcontroller with a few kilobytes of RAM and ROM. But not with any OS-driven PC or smartphone, with its gigantic spider-web of layers upon layers of libraries and frameworks and services all full of unforeseen edge cases and imperfect joints.

And that's only the parts that - against all our efforts such as they are - end up too rickety to support their own weight; we have yet to account for the myriad of other places where the bracing is more or less reasonably sound, but not armour-plated: all the code that manages to not collapse on its own but remains vulnerable to deliberate malicious interference. How much time does it take to create the best, most solid code we can possibly create, such as that governing spaceships and aeroplanes and weapons...? Years and years - and even so that code doesn't typically need to withstand getting picked apart and abused by adversaries, since most of it remains inaccessible to tampering.

Bottom line, since this rant is getting to long anyway: we would need to stop releasing ANY new software for a whole decade. Everything frozen in time. NO new features whatsoever - none. The world's entire IT industry, only hunting and fixing bugs and vulnerabilities. And you know what? After ten years, having gotten rid of everything we could find, there would still be countless bugs and countless vulnerabilities still remaining in all that code, only now a number of "Y" instead of "X". Not "some". Not "few". Not even necessarily "fewer".

I don't know what the solution is - what I do know it's definitely not "focus harder", nor "patch harder". Neither of those will ever get us anywhere NEAR "no-bugs" or "no-vulns" nirvana. Not soon - EVER. We need something completely different if we are to ever get there, assuming it is even possible at all...

* Needless to say, all of the above is "IMHO".

1
0

What can you do when the pup of programming becomes the black dog of burnout? Dude, leave

DropBear
Silver badge

Throwing one extreme to the wind for another is not going to lead you to answers.

1
1
DropBear
Silver badge

Re: Make time for yourself - Don't go above and beyond

"It's similar to Facebook likes (and Register upvotes). In the long run it doesn't really benefit you"

Only even knowing that offers no relief...

1
0
DropBear
Silver badge

"A manager's job is to manage resources, not exhaust them."

You mean like how, for example, we as a species "manage" oil*...? You're deluding yourself. "break open, consume, discard" are the only words anyone knows when it comes to any kind of resource, _especially_ managers. And there's never, ever a shortage of more people.

* This is NOT an eco-rant. I'm just making a point.

5
0
DropBear
Silver badge

Re: I don't recognise this. ...

"I have alarm bells ringing for any organisation where people are either so overworked or so fed up with their co-workers that they want to be along for 45 minutes."

Hell is other people. I insist on getting to choose the few people I actually WANT to socialize with, and on doing it by a drink, on my own time. All of which are incompatible with any office setting. No. You're not getting the have lunch with me and leech away even more of the energy I don't even have.

3
0
DropBear
Silver badge

Re: Working in IT is a magical, mysterious, and wonderful task

You know how ever since Mark Twain fence painting can be either a privilege or a chore...? The thing is, it's a chore as soon as you HAVE to do it, and that's pretty much the definition of a job. Ninety-nine point ninety-nine percent of people aren't getting paid to the explore the whimsical worlds they would actually enjoy to - but to keep their head down and keep manning the oars as the drum beat commands. Is your daddy a lawyer, doctor or businessman? No? Then you're not here to enjoy the ride, sorry.

7
0

What's all the C Plus Fuss? Bjarne Stroustrup warns of dangerous future plans for his C++

DropBear
Silver badge

For some reason, people seem to think that piece is a joke. I cannot possibly imagine why. Adding "I'm just kidding" after "I eat babies" does not make it so when you really do. Now let the downvotes commence...

9
0

Developer’s code worked, but not in the right century

DropBear
Silver badge
Facepalm

Re: quietly removed from those who hadn’t.

But the article seems to make it sound like the points showed up for nobody, not even once, and the customers noticed _missing_ points that couldn't possibly have been the ones supposed to be applied randomly, or maybe the confusion is even worse...

4
0

Indiegogo lawyer asks ZX Spectrum reboot firm: Where's the cash?

DropBear
Silver badge

...or you can buy the $10 full-size bluetooth gamepad with a holder clamp for your smartphone, which is definitely capable of emulating any Spectrum.

4
0
DropBear
Silver badge
Facepalm

"Kickstarter at least wants to see a working prototype..."

Pointless lip service to grand ideals, they literally couldn't care less whether or not there's an actual prototype. There have been projects reported to KS (long after funding ended, for basically absconding with the funds) by half of the entire backer base (or so the comments seem to suggest) and absolutely nothing, nothing at all happened - not even a "we tried, they aren't answering us either". There are literal, obvious perpetuum mobile "projects" being proposed regularly and nobody seems to mind. KS gets his cut on whatever gets funded, and it's quite obvious that's the only thing they care about - anything else is just noise in the wind...

8
0

Meet the Frenchman masterminding a Google-free Android

DropBear
Silver badge

Why would you say that I see ads? I don't. Really. Not in my (adblocked) browser, not on my (ad-skipping) TV recorder box, not on (YePpHa ftw!) YouTube, and absolutely definitely not on my rooted phone equipped with AdAway, AFWall+ and XPrivacy but not a single app peddling any ads - it's a deal-breaker at install time.

2
0
DropBear
Silver badge

Re: He's late to market

Last time I looked (admittedly a while ago) at any "Google free" ROMs on XDA it was something like "oh sure, we definitely have a working image for that phone, but you should know that the camera app literally only captures a frame from the camera when you press the single button it has without any other settings, the WiFi chipset driver kinda tends to drop connections oh and forget about any gyro and magnetometer support (and we promise none of the above will get any better any time soon, sorry) but hey nobody uses those anyway, amirite...?" whereupon I nope'd out of there immediately. "Phone actually does all relevant shit" trumps "but privacy!" without contest each and every time, no matter how interested and concerned I may happen to be regarding the latter.

7
4
DropBear
Silver badge

Re: Sounds good

"He seems aware of the challenges."

Funnily I got the exact opposite impression. By his own admission he lacks any in-depth insight into either Android in particular or dirty specifics of mobile tech in general, being more of an "IT guy with a list of itches he wants scratched" long-distance-working with a ("the") programmer and an ("the") artist each on different continents. I could be wrong but it comes off awfully much like a naive "you can do ANYTHING if only you put your mind to it" proposition when the actual task at hand is more like "proceed taking flight by jumping off this here cliff, without using any additional implements for assistance, at your earliest convenience, we're waiting...". Forking some existing code and hammering out yet another absolute bare-bones launcher doesn't even begin to address the enormity of what would be required here (first of which would be a sizeable community of active contributors) IMHO...

5
9

BOFH: Got that syncing feeling, hm? I've looked at your computer and the Outlook isn't great

DropBear
Silver badge

That's what happens when you fix "I must be right" as the primary axiom of immutable truth (a thing most people seem to be doing, even if unconsciously) and derive any and all aspects of reality suitably bent pretzel-like, as needed, to fit that. Pushed far enough, people are willing to deny the very existence of the Sun in the sky even as they are sweating its heat, if it would mean having to admit being wrong. That would be a reduction to an absurdity, implying that the assumption that the Sun exists _must_ be the false one, full stop.

The key realization here is that arguing with these folks is utterly pointless, because the point you are trying to dislodge is the fulcrum itself - anything is allowed to move except that very point, regardless of how long your intellectual lever is. You're trying to prove false something they _know_ with absolute certainty to be true; not gonna happen, and the more eloquent argument you manage to construct driving home the inescapable truth of your point the worse it ends up being for your blood pressure to see it nonetheless rejected without explanation.

16
0

Quantum cryptography demo shows no need for ritzy new infrastructure

DropBear
Silver badge
Angel

Re: Man-in-the-middle

Tried to grasp the basic principles and educate myself (hahaha, isn't he cute...), immediately crashed and burned miserably. Actually, you know the Peter principle, the one that says that in a hierarchy a person tends to raise to his "level of incompetence"? I propose a corollary, stating that any random walk starting out in the "higher spheres" of Wikipedia results in a person rapidly sinking to their level of competence.

You keep branching off at the second or third unintelligible sentence of each article until you reach a page you can read and understand in its entirety without needing to look up ever-newer (and even more basic) concepts you never heard of - which is how you start at "quantum key distribution" and end up at "plane_(geometry)". Be advised though, only local points of equilibrium exist in this realm - venture far enough away from one you managed to reach, trip on something like "Hesse normal form" (in the same article) and right down the rabbit hole you go again...

7
0

The eyes have it: 'DeepFakes' bogus AI-meddled videos outed by unblinking gaze

DropBear
Silver badge
Facepalm

Well-meaning but completely misguided effort. Trying to "save" credibility of video recordings is a lost cause and had been for quite a while now. Anyone who still thinks any sequence of moving pictures "proves" anything even after having seen a few modern movies full of CGI (these days obvious only through the clear real-world impossibility of whatever is shown) needs to swap their brain for a non-defective one.

2
0

User spent 20 minutes trying to move mouse cursor, without success

DropBear
Silver badge
Happy

Re: Keyboard ecosystems

Regarding spills - my keyboard (DIN5 plug, none of this newfangled PS2 nonsense) was proudly proclaiming on its box at the time that it was spill-proof (post-Y2K translation: "spill-resistant") thanks to the small "wells" in the plastic top surrounding the key stems. I do believe it would indeed handle a modest, peripheral splash but probably not a point-blank full cup knock-over. Luckily, it seems to endure occasional full tear-downs for cleaning purposes just fine though, otherwise it would not only be alive by now but probably properly artificially intelligent as well, which is a hella scary thought for a device that not only literally controls my computer but would also know all my passwords...

7
0

Intel chip flaw: Math unit may spill crypto secrets to apps – modern Linux, Windows, BSDs immune

DropBear
Silver badge
Trollface

Re: I'm OK then...

...but if you use more than one decimal dot in your password, will it crash the FPU...?

2
0

Turns out China loves VR. Wires and powerful hardware, less so.

DropBear
Silver badge
Holmes

Hardly surprising that the "tethered" headsets (I don't think the tether plays any role btw) which are a) obscenely expensive for the non-essential device they are, b) require even more obscenely expensive hardware to support them appropriately, c) are either owned by the poxy bastards from Facebook and d) are largely tied into the poxy shit peddled by Steam or e) require a game console to use that many people don't already have are not quite flying off the shelves.

Meanwhile cheap-and-cheerful lenses-in-a-box can show you anything you can install on your Android phone (including streaming semi-fake* 3D directly from you PC wirelessly) where those interested can later seamlessly transition to an (also Android running, natch) "standalone" headset if they feel it offers anything extra (or just want the use of their phone back...). Sherlock icon for "no shit".

* it is semi-fake** because it's usually two copies of the same 2D image individually re-shaded (based on access to the game's z-buffer) into appropriately squished and stretched simulacra of what you're supposed to see - needless to say, neither eye actually gets any extra information normally present in actual true 3D related to one eye seeing things occluded by an obstacle for the other eye. All this applies only to stuff on your PC that doesn't natively support side-by-side 3D of course - anything that does (including pretty much everything on Android) lets you see proper 3D even on your Cardboard-equivalent. Yeah, the field of vision can't compare to an Oculus - who cares? The lenses-in-a-box are like $10...!

** there's a "full" fake version where the streaming software just duplicates the exact same image for both your eyes (usually if re-shading fails) - it has zero 3D but it's still interactive VR, as in you move your head and the image reacts accordingly because it's still streaming your phone's gyro data back to your PC as mouse movements...

3
0

UK.gov online dating tips: Do get consent, don't make false claims or fake profiles

DropBear
Silver badge

Re: Temp email and garbage is your friend

Now you're making assumptions. Who said your profile page has anything like a "change email" link (true story)...?

1
0

Astroboffins trace mysterious noise from hard rock in space

DropBear
Silver badge
Paris Hilton

Nothing new here, the diamonds were quite well known to be up there in the sky. But where did Lucy go?!?

6
0

Open Source Security hit with bill for defamation claim

DropBear
Silver badge

Re: OSS deserves everything coming to them!

The only thing that saddens me about this is that OSS will probably _not_ get well and truly bankrupted by the judgement. They absolutely should be obliterated, with extreme prejudice. Handling costs of such trivial litigation as a routine cost of doing business should not be possible - any company engaging in such practices should face the likely prospect of a fine ten times their entire worth. Maybe that would make them less touchy and think twice before "getting offended".

3
0
DropBear
Silver badge

Re: No Trademark

Bullshit. I've seen many examples over the years which were labelled "Open Source" with the source accessible in some manner for which you still had zero rights outside of looking at it. I don't give a crap that's not some people mean when _they_ talk about OS, the point is that many clearly mean something wholly non-open by it, which is why a distinction is necessary and still very much useful. To date, I have seen ZERO software claiming to be "libre" except chained seven ways to hell.

0
4

Yahoo! Kills! The! Messenger!

DropBear
Silver badge

Re: F' Oath

Why would you be 'cautious' in using 2-factor for whatever you like? I enabled it on absolutely everything that allowed me to. Unless of course you mean "2-factor by SMS to my phone" which I just have no interest in, using an open source TOTP app instead; the sites I use it on don't know any more about me than they did before - how I conjure up the 6-digit code they ask me for 2FA is none of their goddamn business.

0
0

No lie-in this morning? Thank the Moon's gravitational pull

DropBear
Silver badge
Trollface

@ I ain't Spartacus: oh, absolutely - it's just a temporary effect, until I get back into bed in the evening. However, the guilt of making everyone's workday slightly longer day after day is absolutely crushing, hence the remorse...

0
0
DropBear
Silver badge
Trollface

My theory is that every time I get out of bed in the morning I momentarily contribute to slowing the Earth down a bit by raising my centre of mass - and since I find this unconscionable, I think I should just stay in bed all day...

12
0
DropBear
Silver badge

Re: Geostationary Moon at some point

While the Earth and Moon do indeed orbit around a shared barycentre (and surely ultimately everything affects everything else when you get to the small print) at a first glance I don't really see what role it might have in tidal effects. Or is this a "small print only" effect...?

1
0

BlackBerry Key2: Clickier, nippier, but how many people still want a QWERTY?

DropBear
Silver badge
Joke

Re: pre-owned soul, barely used

Let's not get bogged down in semantics - I personally guarantee any scratches will buff right out, it's almost as good as new!

2
0
DropBear
Silver badge
Devil

Re: "but how many people still want a QWERTY?"

No, here, here please! Just let me have my portrait full-qwerty, pretty please, whit a cherry on top! Look, I know this is a pre-owned soul but I swear it's barely used, you can have it...! Where do I sign...?

2
0

Oddly enough, when a Tesla accelerates at a barrier, someone dies: Autopilot report lands

DropBear
Silver badge

Re: Unfunnily Enough

Fine, I promise not to tell any jokes at the funeral. I promise absolutely nothing about anywhere else. Go take your over-the-top piety somewhere people actually care for it.

11
0
DropBear
Silver badge

While I don't find Elon's reaction particularly tasteful, I don't think he did anything out of the ordinary either. Tesla didn't lie; they were simply quick to point out anything and everything that may have contributed to the crash beside their own role. Hardly surprising, that. Every single person and company I can think of does exactly that immediately whenever blamed for something. It may not be the reaction you're looking for, but it's certainly human nature...

3
1
DropBear
Silver badge
WTF?

Re: After the last childish outburst...

Now extend that to the idea that you messed up, and somebody is dead because of the inadequacy of your efforts. How do you make good from that?

EASILY. I would say with a shrug, but your death or mine doesn't even warrant that much. No, I'm not talking about me - I'm talking about doctors. If you think any of them will have trouble sleeping at night because you died because of something they did (or more likely, failed to) do, think again; they'll do the exact same thing tomorrow. Those who would have felt responsible are either younglings who'll learn soon enough not to, or aren't doctors any more. If they'd actually care, they'd go mad. So they just don't. Those who are still there don't see you as a person. You're just more meat for the system. A lot of it dies. Plenty remains. See? Easy...

1
4

Microsoft will ‘lose developers for a generation’ if it stuffs up GitHub, says future CEO

DropBear
Silver badge
Coat

Dear MS,

FYI, not everyone who does intend to leave has actually made his move yet.

14
1

Chinese tech giant ZTE is back in business – plus or minus $1.4bn and its entire board

DropBear
Silver badge

Re: Trumpium War

I'm absolutely not an expert on the matter but... the Jǐnyīwèi might choose to disagree with that.

1
0

Monday: Intel touts 28-core desktop CPU. Tuesday: AMD turns Threadripper up to 32

DropBear
Silver badge

Re: Meh

Well, there's at least one game that has been, is, and will be for the indeterminate future* definitely CPU-limited - a certain space sim in development**. Nothing else you throw at it can make it run as anything other than a slide show. Of course, whether it would benefit from a 32-core CPU or not is anyone's guess - but I'm more than happy to test it if you sponsor me with a test rig...

* amazingly, it's scheduled to deliver some semblance of a solution to this issue exactly at the same time as El Reg switches to IPv6: "Soon". Or, reportedly, two releases from now which, considering their track record regarding deadlines and promises, is actually precisely equivalent to "Soon" down to at least twenty decimals.

** geologists reportedly found evidence somewhere below the Permian layer indicating that the game wasn't always in development; based on this, several cults - widely shunned by the scientific community at large generally agreeing that the Sun will go nova first - believe the game will likewise exit development stage some day, achieving what they call "Release". The subject remains poorly explored after several ethnographic expeditions setting out to study the particularly vicious attitude of these groups towards non-cult-members have gone missing to date, never to be heard about again.

3
0
DropBear
Silver badge
Trollface

Re: Maths co-processor?

There was no need. If it started to glow red hot, we could any time just hit the turbo button to scale it back down...

12
0
DropBear
Silver badge
Joke

Re: Gimme speed

Unacceptable! If nine women can deliver in one month the same baby that one woman can in nine months, there's no reason we shouldn't expect CPUs to get with the program too and start getting much faster again!

27
0

Crappy IoT on the high seas: Holes punched in hull of maritime security

DropBear
Silver badge

One can but hope Pen Test Partners won't be too pent-up about El Reg calling them so...

1
0

Loose .zips sink chips: How poisoned archives can hack your computer

DropBear
Silver badge

Oh FFS...

Jan. 1st - "insecure code [...] fixes [...] pushed out to the public so people can install them and be safe." You were unsafe before. You install updates. You are now safe.

Jan. 8th - "insecure code [...] fixes [...] pushed out to the public so people can install them and be safe." You were unsafe before. You install updates. You are now safe.

Jan. 15th - "insecure code [...] fixes [...] pushed out to the public so people can install them and be safe." You were unsafe before. You install updates. You are now safe.

Jan. 22nd - "insecure code [...] fixes [...] pushed out to the public so people can install them and be safe." You were unsafe before. You install updates. You are now safe.

...we keep using that word, "safe". I don't think it means what we seem to think it means.

0
0

US govt mulls snatching back full control of the internet's domain name and IP address admin

DropBear
Silver badge
Trollface

Re: Yay choices

"7) The bloke down the pub"

Well he does seem to be the unchallenged master of WiFi in his fine establishment, so one could argue he's actually more provably in control of the Internet over his own domain than ICANN is...

5
0

Four hydrogen + eight caesium clocks = one almost-proven Einstein theory

DropBear
Silver badge
Trollface

Because when you watch the clock you collapse the wave function by observing it, and as anyone who ever tried to unsuccessfully imitate a magician with a watch and a hammer can attest, a thoroughly flattened clock does indeed tend to stop ticking.

2
0

UK has data adequacy issues? Oof, that's too bad! says Isle of Man

DropBear
Silver badge

Re: The article neglected the biggest selling point

He sure seems well acclimated. I get frostbite just listening to him mentioning the temperatures he prefers to keep...

1
0

Intel claims it’s halved laptop display power slurpage

DropBear
Silver badge

Actually, it occurs to me that there would be a way to save major energy - by directionally emitting pixels, which is a nice way to say "horrible viewing angles". They would be the death of any TV or phone (not seeing your phone's screen resting flat on a table would be a disaster) but to be honest - how many times do you look at a laptop/desktop monitor any other way than head-on? If the fall-off could be made sharp and synchronous across colours (ie. no "colour inversion" or other major change between +/- 15 degrees or so, then suddenly pitch black outside that) it might work, and you could even sell it as a "privacy" bonus feature...

1
1
DropBear
Silver badge

Re: will need an Intel display adapter

Just the one I work on at work - but why would there be an Intel display adapter in my AMD / ATI (sic) laptop...?

1
0
DropBear
Silver badge
Trollface

Re: no information here

I'm wondering whether they just handwaved some magic "AI" and "ML" into discrete LED backlight tiles to turn them off "betterer" when that part of the screen is dim (which as a general idea is really not new, it's what all the "LED TV"s do). Actual (O)LED panels don't need any extra tech - when they're off, they're off but that's not exactly novel - and traditional full-screen backlights just can't save power. Hey, maybe they invented tiny mirror-backed pixels that reflect all blocked light back into the backlight unit to be used by other pixels! Yup, that must be it...

1
0

Dual-screen laptops debut at Asus' Computex chat

DropBear
Silver badge

Ah. Almost there! Except please make it a dual-screen PHONE and let one of the screens be the keyboard whenever I need to type anything, instead of the current "you can see two lines of text over the keyboard" landscape mode. Other times just use the two screens as one large one, the missing "hinge" section won't be too much of a distraction between one row and the next reading a webpage in landscape. Although if you decide to just make one of them a permanent hardware keyboard you won't see me complain either...

2
0

Nadella tells worried GitHub devs: Judge us by our actions

DropBear
Silver badge

...and those who can remember the past are condemned to watch it repeat itself inexorably, regardless of how many do or don't remember it. It's a fool's game. Ask Cassandra. "We learn from history that we do not learn from history" - Hegel.

5
1

Fake NIPS slip site scandalizes AI world

DropBear
Silver badge

No idea. Let's ask arduino.cc (the reputable one)...

0
0

Whois? Whowas. So what's next for ICANN and its vast database of domain-name owners?

DropBear
Silver badge

Re: Personal vs business

Okay, that was probably not the ideal example, just the latest one I noticed going out of its way to stay silent on any specifics (incidentally, its whois is useless). I suppose I missed the mentioning of MapMakers in the ToS, although having to Google it for anything more (and the web-only contact form) is quite telling in itself - these are not people who want to be found. I've seen other sites in the past though where not even the ToS mentioned any names beyond whatever the brand (site) itself was called, and that was the end of it. Not a single one of them had a helpful whois record in any sense...

1
0

German court snubs ICANN's bid to compel registrar to slurp up data

DropBear
Silver badge

"But the court, noting that it was possible for a registrant to provide the same data for each of the three contacts - and that this had not led to a registration being denied."

Carefully saved in my doom survival toolbox, to be used in case I ever need to well and truly lock up a malicious hive mind or AI.

4
0

The Register - Independent news and views for the tech community. Part of Situation Publishing