nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

* Posts by MJB7

95 posts • joined 27 Nov 2013

Page:

The internet is going to hell and its creators want your help fixing it

MJB7
Boffin

Eu EHCR

"Whatever level of stiffness the BrExit, if it has any form of formal agreement with the Eu ECHR has to stay"

Aaaaaaarggh! The European Court of Human Rights is entirely independent of the European Union. It is a creature of the Council of Europe (which has as members all European countries except Belarus, Kazakhstan, and Vatican City).

The senior court of the European Union is the European Court of Justice.

Remember Misco? Staff win protective award at employment tribunal

MJB7

Re: Administrators

Work? Work!?! I think you are failing to understand the business model of the standard administrator.

College PRIMOS prankster wreaks havoc with sysadmin manuals

MJB7

Re: Poorly configured system

"Almost by definition you'd think 'administrator' commands should only be available to administrators?"

You are obviously thinking with the mindset of a 21st century security consultant. The late 70's was a much more innocent time, when it wasn't completely obvious that just trusting people to be responsible wasn't good enough.

Customers baffled as Citrix forces password changes for document-slinging Sharefile outfit

MJB7

Not in their interest, is it?

NCSC may be part of GCHQ, but their remit is to protect government (interpreted broadly) systems, and UK businesses.

There are plenty of other people saying password resets other than when compromised are a bad idea.

If Citrix wanted to do something useful, they could check new passwords aren't in the Have I Been Pwned database.

Oh my chord! Sennheiser hits bum note with major HTTPS certificate cock-up

MJB7
Boffin

Certificate pinning won't help

Certificate pinning won't help with this at all. At least with Chrome, certificate pinning accepts any certificate signed by a locally installed root cert (as opposed to one which is distributed with the operating system). This is so that businesses who use a TLS decryption/encryption device to scan all outgoing TLS can continue to do so.

(I suspect the commentards here will have definite views on the desirability of such devices, but I can see why Chrome would decide not to fight that battle.)

It was a lit CeBIT see, got teeny weeny, world's biggest tech show yearly party... closed its German fest's doors yesterday

MJB7

Re: You only wish you're too old

According to WP Timmy Mallett only started being active in 1982. I graduated two years before that, and had stopped watching children's TV.

I'm not sure how I managed to avoid him when my son came along (but I did). What I have heard about him has not encouraged me to look more closely.

("teeny weeny" immediately made me think of "yellow polka dot bikini" - but I couldn't see how it fitted.)

Worrying Windows 10 wrecking-ball weapon weirdly wanders wildly on worldwide web

MJB7

Re: Sorry, but ...

The canonical expression is that "the attacker is the wrong side of the air-tight hatchway". At least it is if you read "The Old New Thing" by Raymond Chen (and you should).

It's Two Spacecraft, One Mission as BepiColombo gets ready to launch

MJB7
FAIL

JWST?

2021 for James Webb? Your'e having a laaf. That's about as likely as Berlin Brandenburg being open by then.

Insult to injury: Malware menace soaks water-logged utility ravaged by Hurricane Florence

MJB7

Re: who triggered it?

The sysadmins *should* be more resistant to these sort of attacks, but as they are actually humans (appearances to the contrary notwithstanding), they will still trigger the ransomware some of the time ... and we never get to hear about the cases that they didn't.

Sun billionaire Khosla discovers life's a beach after US Supreme Court refuses to hear him out

MJB7

Re: Sidewalk

At least in England and Wales (I can't speak for Scotland), you *do* own the land to the centre of the road - it's just that you can't stop people walking/driving/etc over it (it's a public highway).

So it is quite likely that the State of California *doesn't* own the roads (assuming a similar legal system to E&W)

Garbage collection – in SPAAACE: Net snaffles junk in first step to clean up Earth's orbiting litter

MJB7

Small vs large chunks

It's well worth removing the larger chunks *before* they become lots of small chunks.

Also, the small chunks in LEO tend to decay quite quickly because of atmospheric resistance - something as big as a cube sat will stay up much longer.

Oi, you. Equifax. Cough up half a million quid for fumbling 15 million Brits' personal info to hackers

MJB7

Re: Max fine

"the regulator has no qualms about setting maximum fines for the really big offences" - I don't think that is what is going on here. I think what happened is that GDPR has upgraded the scale for fines like this. In other words the regulator thought about what fine they would levy if GDPR applied, and then capped it at what the DPA allowed.

I would be surprised if they would hand out a maximum fine under GDPR for this; but of course, even 0.4% of global turnover would get the attention of the boards of the other credit agencies.

'Men only' job ad posts land Facebook in boiling hot water with ACLU

MJB7

Re: (m/f) in job ads

Certainly in Germany, this is because discrimination is outlawed, but the grammar is such that job titles are different for men and women. A male programmer is "ein Programmierer", a female programmer is "eine Programmiererin" (you can occasionally still see that in English: "an actor" vs "an actress"). This applies to *all* job titles. That means you can either advertise for "ein(e) Programmierer/Programmiererin" or "ein Programmierer (m/w)" - and most choose the latter.

I expect the same applies to most European languages.

Raspberry Pi supremo Eben Upton talks to The Reg about Pi PoE woes

MJB7

Re: Hats off to 'em...

"TBH, we should have spotted this in testing"

Well yeah, that would have been nice. But the fact that you saying that in a public forum is not a career-limiting move is what we are applauding.

... although it would have been nice to see something about this in my RSS feed from the RPi blog (I'll go and sit in the nit-pickers corner shall I?)

Google goes bilingual, Facebook fleshes out translation and TensorFlow is dope

MJB7

Urdu?

A friend's daughter can (could - this is probably 20 years ago now) speak Urdu because she spent so much time playing with her best friend that she picked it up from the best friend's mother (who didn't speak English).

I imagine there is quite of a bit of local authority material written in both English and Urdu.

Microsoft gives Windows 10 a name, throws folks a bone

MJB7

Re: LibreOffice

I use both LibreOffice and MS Office. LO is OK, but in my view it's definitely not as user-friendly as MSO (and I'm a bit of a power user). Whether the difference is worth the cost? For a business - probably.

Connected car data handover headache: There's no quick fix... and it's NOT just Land Rovers

MJB7

Re: Why?

Connecting the infotainment system to the ECU means that the radio can automatically turn up the volume as the speed increases (to compensate for increased engine and road noise). It is also dead useful for the navigation system to have access to the road speed from the ECU - it allows it to dead reckon inside tunnels (where the GPS signal tends to be somewhat limited).

Of course, in a properly secure system, the infotainment system would be connected to a secure module that can *read* the CAN bus, but refuses to write to it. The problem there is that another module costs dollars, and car manufacturers care about saving cents.

You may feel that remote central locking gets the balance between usability and security wrong; I don't. I value being able to remotely unlock the car - it's not a *huge* benefit, but the risk seems to be pretty low too

MJB7
Headmaster

Re: NOT TO BE SOLD SEPARATELY

This doesn't mean "we will object if you sell them separately", it means "you will be breaking the law if they are sold separately, because they aren't individually labelled with the ingredients etc"

Cache of the Titans: Let's take a closer look at Google's own two-factor security keys

MJB7
Boffin

Re: Single device secret

Key derivation from a master secret to generate multiple keys is a well understood cryptographic problem. It can be done either with an encryption algorithm (like AES) or a keyed hashing algorithm (like HMAC-SHA1). Either way, there is no way for an attacker to derive the master secret or another credential given one compromised credential unless they have a major break in the underlying algorithm (and the SHA1 collision recently found is *not* enough to help).

The advantage of doing this, is that you don't need more entropy for each new credential - and obtaining entropy for a small low-powered device like this is *hard*.

Early experiment in mass email ends with mad dash across office to unplug mail gateway

MJB7

Re: Let me try

The city of Leicester is pronounced exactly the same as Lester Haines' first name. The city of Worcester is pronounced pretty much the same as Bertie Wooster's last name (except this is slightly more confusing: the stress is on the last syllable, and the "oo" is a bit more of an indeterminate vowel).

Spectre rises from the dead to bite Intel in the return stack buffer

MJB7

Inevitable

Bruce Schneier commented at the time that Spectre was first found that there are going to be a whole class of issues like this, and academics are going to be busy finding them for years.

MJB7

Re: Asking (possibly) dumb question

There's no such thing as a stupid question (but failing to ask can be very stupid).

In general, you can't gain access to these buffers directly - but you can do things (like call a function), which will modify the buffers in a predictable way. Furthermore, by carefully timing things(*) you can estimate the contents of the buffer (if it has one value an operation, like return, will be fast; if it has another, it will be slow).

*: You might think that just adding a bit of timing jitter would be enough to fool this. Sadly, it turns out to be easy enough to repeat the exercise and average out the jitter. It turns out that you can do accurate-enough timing from within javascript - you don't need access to the hardware cycle counter

If at first you, er, make things worse, you're probably Microsoft: Bug patch needed patching

MJB7

Re: VBScript itself is a problem

Err, 'C' is about twice that (started in 1972, K&R published in 1978), and it's *everywhere*. Fortran is just less than three times as old - first published in 1957 (although less popular than it once was).

Age is not a good reason to get rid a language, in fact it's a reason to keep it - we've probably got rid of most of the nasties from the compiler/interpreter, and we know where the dragons live when writing it.

Mmm, yes. 11-nines data durability? Mmmm, that sounds good. Except it's virtually meaningless

MJB7

Re: Sigma(σ)?

The standard deviation is a useful and well-defined concept for a normal distribution. However we are not dealing with normal distributions here - more like poisson (with a *very* low probability). The result is that standard deviations are not particularly meaningful (although, to be fair, 11-nines isn't either).

Samsung’s new phone-as-desktop is slick, fast and ready for splash-down ... somewhere

MJB7

Re: Must be tek4010

More likely to be a Tek 4014. The 4010 had an 11" screen, but the 4014 was a 19" screen - it was a beast.

Intel confirms it’ll release GPUs in 2020

MJB7

Single die vs plugin card

Sure *gamers* will upgrade their GPU - but the really *big* market for GPUs is not processing graphics!

We have pretty much run out of steam improving single-threaded performance. Multiple cores is the only way to improve performance. Once you start doing that at scale, you can drastically reduce the cost of each core by not trying to squeeze every last drop of performance out of it (you also design out Spectre et al). Once standard desktop software needs a GPU to perform well, everybody is going to want one - and they won't want it on a separate card.

The commentard who compared GPUs to floating point hardware had it exactly right.

Tesla undecimates its workforce but Elon insists everything's absolutely fine

MJB7

Re: Maybe 1 in 1000

40% of all cars registered in Norway in 2017 were electric or hybrid.

In Europe as a whole, plug-in electric cars were 1.4% of new registrations, which means we are probably not far off your "1 in 1000" of cars on the road already. (It will vary how you count it - electric vehicles probably do shorter journeys, so a lot fewer than 1‰ miles will be by electric vehicles).

Norway plans to ban new petrol/diesel cars by 2025 (which is 8 years away, not 30).

Even France and the UK plan to ban new cars by 2040 (which is rather less than your "30 years", but is distant enough that it could easily slip).

I think one in three by 2028 is quite plausible.

Hello, this is the FTC. You have been selected for a free lawsuit... Robocall pair sued

MJB7

Answer phones

"Most answering machines won't let you delete a message without listening to it." I don't think I've ever tried deleting a message without listening to some of it - but I've never had an answerphone which didn't let you delete a partly listened-to message.

UK judge appears in dock over Computer Misuse Act allegations

This post has been deleted by a moderator

BOFH: Their bright orange plumage warns other species, 'Back off! I'm dangerous!'

MJB7

Re: HSE

The real problem with the current H&S legislation in the UK is that it requires people to actually *think* - and we all know how popular *that* is.

Welcome to Ubuntu 18.04: Make yourself at GNOME. Cup of data-slurping dispute, anyone?

MJB7

Re: "IP address is PII"

No it isn't - but PII is an American term. The GDPR term is "PD" - "Personal Data", and an IP address absolutely *is* PD. GDPR is much wider than American rules (there's a surprise).

EmDrive? More like BS drive: Physics-defying space engine flunks out

MJB7

Re: conservation of momentum

Yes, conservation of momentum applies at the quantum level. The only caveat is that you can't measure the input or output momentum of the system with absolute precision. (But nobody has come up with a quantum experiment where momentum is clearly not conserved.)

German IKEA trip fracas assembles over trolley right of way

MJB7

Re: "Open another queue"

Good lord! We don't get that sort of behaviour in Baden; they're a friendly lot here. Bavaria on the other hand ...

Family Planning office warns customers private parts may be exposed

MJB7

Re: ANZAC day

However I think Remembrance Day is a comparatively minor event, while ANZAC day is the big day for remembering the dead from wars. As such, I think the description as "the equivalent of Remembrance Day" is fair.

Equifax reveals full horror of that monstrous cyber-heist of its servers

MJB7

Re: SSN

It shouldn't; what should worry you is all those idiot organizations that think your SSN is a secret. It's perfectly fine as a unique identifier (at least, if you only want to deal with legal US residents), but it's an absolutely appalling secret.

Royal Bank of Scotland decision to axe 160+ branches linked to botched IT gig – Unite

MJB7

Re: "not that I'm a member of NatWest or RBS now"

You never were a member of NatWest or RBS. Neither of those were ever mutuals (although they have probably absorbed ex-mutuals - I can't be bothered to check). You were a customer. You'd have to use one of the remaining building societies to be a member (Nationwide is pretty good, despite being larger than all the other building societies put together).

AMD CEO Su: We like GPU crypto-miners but gamers are first priority

MJB7

Re: "demand far outstrips supply"

Yes, everything in the garden is rosy **at the moment** (for vendors). However, there will come a time when the cost of the electricity to mine coins is worth less than the mined coins. At this point, rational miners will stop using their GPU rigs and sell them.

The real problem for the likes of AMD is that this point probably won't be reached gradually depending on exactly how much each miner is paying for electricity; it is much more likely to occur because of a crash in the alt-coin market. Then all of the miners will go bust, and all the administrators will be trying to sell their GPUs as quickly as possible (before the other administrators do the same and depress the price further), and the price of GPUs will drop through the floor. I can't wait.

What makes it worse is that it doesn't *much* matter if AMD have concentrated on selling to gamers; if the market is flooded with cheap secondhand nVidia boards, AMD sales will still crash (there are some AMD loyalist who would never touch nVidia - but not enough).

Reg writer Richard went to the cupboard, seeking a Windows Phone...

MJB7

Re: Apps

When you say "most of what's in the Play store is pretty pathetic", that may well be true - but it isn't really relevant. I want my bank's app, my car's app and my heating system's app; if those are crap, it isn't really Google's fault.

I got 99 secure devices but a Nintendo Switch ain't one: If you're using Nvidia's Tegra boot ROM I feel bad for you, son

MJB7

Re: "principles, not freeloading"

Can you please not talk about "real property rights". Pretty please?

The problem is that "real property" is a legal term (it means land and buildings, as opposed to personalty or "personal property" - like clothes or consoles). "actual property rights" or "genuine property rights" would be fine.

(As an aside, I think you overstate your case. If the transaction was changed to "leasing", I predict that the price the market would bear would be almost completely unchanged.)

There's security – then there's barbed wire-laced pains in the arse

MJB7

Ahem. Mandatory password changes are bad for security. Force a renewal when you suspect they are compromised, but otherwise encourage users to use a password manager, and a *good* master password.

'Every little helps'... unless you want email: Tesco to kill free service

MJB7

Re: Buy your own domain

*This*

I really wish I had followed by cousin's advice and bought a domain about eight years ago. (And I'm the techie one, and he is the marketing/management type.) Now I'm stuck with too many people knowing my gmail account.

Blackout at Samsung NAND factory destroys chunk of global supply

MJB7

Re: The maths don't add up...

Yes they do. If all the product currently in the factory is ruined, *and it takes three and a bit days* for all the processes to run, then the maths adds up just fine.

Diffusing various doping agents into silicon is not a particularly fast process.

Developer mistakenly deleted data - so thoroughly nobody could pin it on him!

MJB7

DON'T PANIC

"if you were placed in the same situation, and had the presence of mind that always comes with hindsight, could you have got out of it in a simpler or easier way?"

/usr/bin/python

But of course, that wouldn't have worked when people were running Unix on VAX.

Sacked saleswoman told to pay Intel £45k after losing discrim case

MJB7

Representing yourself

There is an old legal saying "A lawyer who is representing himself, has a fool for a client".

Having said that, there's no reason not to represent yourself for claims on the Small Claims Track. (But this is clearly not such a case.)

EE: Data goes TITSUP* for Brit mobile customers

MJB7

Actually, no they are probably miserable as sin about having to send you those texts (they would rather you just roamed away, and only found out about the prices when you got home) - but they don't have a choice. I think it's an EU regulation (too consumer friendly to be Ofcom's idea).

Full disclosh: Facebook to pay shareholders $35m over IPO non-disclosure claims

MJB7

Zero sum game

It *is* a zero sum game, but people who bought at IPO aren't the only players. The people who lose out from the payment are those who were shareholders *before* the IPO (including Mr Zuckerberg).

Somehow, I don't think this is going to leave him penniless.

PCI Council and X9 Committee to combine PIN security standards

MJB7

To be fair

This is an agreement between the people setting the standards. Both sides regularly update their standard. If they update it to be identical, then there will only be one standard. (Just like the BSI and DIN, and ANSI all have standards for the C programming language - they are just the *same* standard.)

Uber quits GitHub for in-house code after 2016 data breach

MJB7

Re: What kind of complete moron

1) Standard issue human. Once it is pointed out that the code is on GitHub, one goes "D'oh!", but everyone has done equally stupid things.

2) It was a private repo (otherwise, what would the point of multi-factor authentication be?)

3) Not a clue.

On yer bike! Boffins teach AI drone to fly itself using cams on bicycles, self-driving car

MJB7
Black Helicopters

Re: "In the UK"

It does say in the regulations you quote that you can ask the CAA for permission. I don't suppose the CAA would be much harder to convince that the local ethics committee. (I presume they had someone with their hands hovering over a kill switch so it would just drop on the ground. That's not too brilliant as a general strategy for drones, but at their height, it would have worked fine.)

(Icon because ....)

Just can't catch a break, can ya, Capita? Shares tumble 40% amid yet another profit warning

MJB7
Thumb Down

Same old same old

"I have initiated a transformation programme, appointed a Chief Transformation Officer and formed a new executive committee to drive this change."

Oooh! That'll change everything won't it. I suppose it is possible that he is actually going to introduce some significant changes - but that's not the way the smart money is betting.

Page:

The Register - Independent news and views for the tech community. Part of Situation Publishing