95 posts • joined 27 Nov 2013
"Whatever level of stiffness the BrExit, if it has any form of formal agreement with the Eu ECHR has to stay"
Aaaaaaarggh! The European Court of Human Rights is entirely independent of the European Union. It is a creature of the Council of Europe (which has as members all European countries except Belarus, Kazakhstan, and Vatican City).
The senior court of the European Union is the European Court of Justice.
Re: Poorly configured system
"Almost by definition you'd think 'administrator' commands should only be available to administrators?"
You are obviously thinking with the mindset of a 21st century security consultant. The late 70's was a much more innocent time, when it wasn't completely obvious that just trusting people to be responsible wasn't good enough.
Not in their interest, is it?
NCSC may be part of GCHQ, but their remit is to protect government (interpreted broadly) systems, and UK businesses.
There are plenty of other people saying password resets other than when compromised are a bad idea.
If Citrix wanted to do something useful, they could check new passwords aren't in the Have I Been Pwned database.
Certificate pinning won't help
Certificate pinning won't help with this at all. At least with Chrome, certificate pinning accepts any certificate signed by a locally installed root cert (as opposed to one which is distributed with the operating system). This is so that businesses who use a TLS decryption/encryption device to scan all outgoing TLS can continue to do so.
(I suspect the commentards here will have definite views on the desirability of such devices, but I can see why Chrome would decide not to fight that battle.)
It was a lit CeBIT see, got teeny weeny, world's biggest tech show yearly party... closed its German fest's doors yesterday
Re: You only wish you're too old
According to WP Timmy Mallett only started being active in 1982. I graduated two years before that, and had stopped watching children's TV.
I'm not sure how I managed to avoid him when my son came along (but I did). What I have heard about him has not encouraged me to look more closely.
("teeny weeny" immediately made me think of "yellow polka dot bikini" - but I couldn't see how it fitted.)
At least in England and Wales (I can't speak for Scotland), you *do* own the land to the centre of the road - it's just that you can't stop people walking/driving/etc over it (it's a public highway).
So it is quite likely that the State of California *doesn't* own the roads (assuming a similar legal system to E&W)
Garbage collection – in SPAAACE: Net snaffles junk in first step to clean up Earth's orbiting litter
Oi, you. Equifax. Cough up half a million quid for fumbling 15 million Brits' personal info to hackers
Re: Max fine
"the regulator has no qualms about setting maximum fines for the really big offences" - I don't think that is what is going on here. I think what happened is that GDPR has upgraded the scale for fines like this. In other words the regulator thought about what fine they would levy if GDPR applied, and then capped it at what the DPA allowed.
I would be surprised if they would hand out a maximum fine under GDPR for this; but of course, even 0.4% of global turnover would get the attention of the boards of the other credit agencies.
Re: (m/f) in job ads
Certainly in Germany, this is because discrimination is outlawed, but the grammar is such that job titles are different for men and women. A male programmer is "ein Programmierer", a female programmer is "eine Programmiererin" (you can occasionally still see that in English: "an actor" vs "an actress"). This applies to *all* job titles. That means you can either advertise for "ein(e) Programmierer/Programmiererin" or "ein Programmierer (m/w)" - and most choose the latter.
I expect the same applies to most European languages.
Re: Hats off to 'em...
"TBH, we should have spotted this in testing"
Well yeah, that would have been nice. But the fact that you saying that in a public forum is not a career-limiting move is what we are applauding.
... although it would have been nice to see something about this in my RSS feed from the RPi blog (I'll go and sit in the nit-pickers corner shall I?)
A friend's daughter can (could - this is probably 20 years ago now) speak Urdu because she spent so much time playing with her best friend that she picked it up from the best friend's mother (who didn't speak English).
I imagine there is quite of a bit of local authority material written in both English and Urdu.
Connecting the infotainment system to the ECU means that the radio can automatically turn up the volume as the speed increases (to compensate for increased engine and road noise). It is also dead useful for the navigation system to have access to the road speed from the ECU - it allows it to dead reckon inside tunnels (where the GPS signal tends to be somewhat limited).
Of course, in a properly secure system, the infotainment system would be connected to a secure module that can *read* the CAN bus, but refuses to write to it. The problem there is that another module costs dollars, and car manufacturers care about saving cents.
You may feel that remote central locking gets the balance between usability and security wrong; I don't. I value being able to remotely unlock the car - it's not a *huge* benefit, but the risk seems to be pretty low too
Re: Single device secret
Key derivation from a master secret to generate multiple keys is a well understood cryptographic problem. It can be done either with an encryption algorithm (like AES) or a keyed hashing algorithm (like HMAC-SHA1). Either way, there is no way for an attacker to derive the master secret or another credential given one compromised credential unless they have a major break in the underlying algorithm (and the SHA1 collision recently found is *not* enough to help).
The advantage of doing this, is that you don't need more entropy for each new credential - and obtaining entropy for a small low-powered device like this is *hard*.
Re: Let me try
The city of Leicester is pronounced exactly the same as Lester Haines' first name. The city of Worcester is pronounced pretty much the same as Bertie Wooster's last name (except this is slightly more confusing: the stress is on the last syllable, and the "oo" is a bit more of an indeterminate vowel).
Re: Asking (possibly) dumb question
There's no such thing as a stupid question (but failing to ask can be very stupid).
In general, you can't gain access to these buffers directly - but you can do things (like call a function), which will modify the buffers in a predictable way. Furthermore, by carefully timing things(*) you can estimate the contents of the buffer (if it has one value an operation, like return, will be fast; if it has another, it will be slow).
Re: VBScript itself is a problem
Err, 'C' is about twice that (started in 1972, K&R published in 1978), and it's *everywhere*. Fortran is just less than three times as old - first published in 1957 (although less popular than it once was).
Age is not a good reason to get rid a language, in fact it's a reason to keep it - we've probably got rid of most of the nasties from the compiler/interpreter, and we know where the dragons live when writing it.
The standard deviation is a useful and well-defined concept for a normal distribution. However we are not dealing with normal distributions here - more like poisson (with a *very* low probability). The result is that standard deviations are not particularly meaningful (although, to be fair, 11-nines isn't either).
Single die vs plugin card
Sure *gamers* will upgrade their GPU - but the really *big* market for GPUs is not processing graphics!
We have pretty much run out of steam improving single-threaded performance. Multiple cores is the only way to improve performance. Once you start doing that at scale, you can drastically reduce the cost of each core by not trying to squeeze every last drop of performance out of it (you also design out Spectre et al). Once standard desktop software needs a GPU to perform well, everybody is going to want one - and they won't want it on a separate card.
The commentard who compared GPUs to floating point hardware had it exactly right.
Re: Maybe 1 in 1000
40% of all cars registered in Norway in 2017 were electric or hybrid.
In Europe as a whole, plug-in electric cars were 1.4% of new registrations, which means we are probably not far off your "1 in 1000" of cars on the road already. (It will vary how you count it - electric vehicles probably do shorter journeys, so a lot fewer than 1‰ miles will be by electric vehicles).
Norway plans to ban new petrol/diesel cars by 2025 (which is 8 years away, not 30).
Even France and the UK plan to ban new cars by 2040 (which is rather less than your "30 years", but is distant enough that it could easily slip).
I think one in three by 2028 is quite plausible.
Re: "not that I'm a member of NatWest or RBS now"
You never were a member of NatWest or RBS. Neither of those were ever mutuals (although they have probably absorbed ex-mutuals - I can't be bothered to check). You were a customer. You'd have to use one of the remaining building societies to be a member (Nationwide is pretty good, despite being larger than all the other building societies put together).
Re: "demand far outstrips supply"
Yes, everything in the garden is rosy **at the moment** (for vendors). However, there will come a time when the cost of the electricity to mine coins is worth less than the mined coins. At this point, rational miners will stop using their GPU rigs and sell them.
The real problem for the likes of AMD is that this point probably won't be reached gradually depending on exactly how much each miner is paying for electricity; it is much more likely to occur because of a crash in the alt-coin market. Then all of the miners will go bust, and all the administrators will be trying to sell their GPUs as quickly as possible (before the other administrators do the same and depress the price further), and the price of GPUs will drop through the floor. I can't wait.
What makes it worse is that it doesn't *much* matter if AMD have concentrated on selling to gamers; if the market is flooded with cheap secondhand nVidia boards, AMD sales will still crash (there are some AMD loyalist who would never touch nVidia - but not enough).
I got 99 secure devices but a Nintendo Switch ain't one: If you're using Nvidia's Tegra boot ROM I feel bad for you, son
Re: "principles, not freeloading"
Can you please not talk about "real property rights". Pretty please?
The problem is that "real property" is a legal term (it means land and buildings, as opposed to personalty or "personal property" - like clothes or consoles). "actual property rights" or "genuine property rights" would be fine.
(As an aside, I think you overstate your case. If the transaction was changed to "leasing", I predict that the price the market would bear would be almost completely unchanged.)
To be fair
This is an agreement between the people setting the standards. Both sides regularly update their standard. If they update it to be identical, then there will only be one standard. (Just like the BSI and DIN, and ANSI all have standards for the C programming language - they are just the *same* standard.)
Re: "In the UK"
It does say in the regulations you quote that you can ask the CAA for permission. I don't suppose the CAA would be much harder to convince that the local ethics committee. (I presume they had someone with their hands hovering over a kill switch so it would just drop on the ground. That's not too brilliant as a general strategy for drones, but at their height, it would have worked fine.)
(Icon because ....)
Same old same old
"I have initiated a transformation programme, appointed a Chief Transformation Officer and formed a new executive committee to drive this change."
Oooh! That'll change everything won't it. I suppose it is possible that he is actually going to introduce some significant changes - but that's not the way the smart money is betting.