Posts by Speltier

Amazon

Well, you have to visit Amazon to buy the tech tat you need to do your job. I'm a bit more inclined to The Economist than lesser rags; and being word dense, it looks like work. OK, for most people it is too much like work to read The Economist, so they read the Daily Mail. To really look busy, read late breaking news in arxiv-- impress your boss with all those charts and graphs, not only are they fascinating but they look like you are working!!

Show me the money

Oracle bid high for Sun, and is still struggling to get that money back.

Pesky Cost Centers

Some years ago, Boeing laid off a pile of engineers. Prior to the 787MAX. I was wondering what work they were doing that would no longer get done, or done correctly. Now, I guess I know.

Doc Wallstreet and his/her MBA buddies ordered a corporate pre-frontal lobotomy to save the bottom line, it is just so expensive supporting brains, who needs them? Clearly not Wallstreet or MBA bottom fishers.

Epson Inkjet

I had a very old Epson inkjet. Indestructible-- leave it out in the shed for a year in the heat, cold (far below freezing, with ink cartridges still installed!), humidity, bugs... drag it in, it would work. Third party cartridges, it would work. What killed it was that Epson stopped making drivers for it after Win98.

So I replaced it with a then current model Epson. Ran through one cartridge set, and failed with an Epson new cartridge, needed new head, and it had not even resided in the shed yet. Sent to landfill, first replaced with a Kodak (yes, I fell for the marketdroid slobber). Well... that didn't work out any better than the 2nd Epson did. Eventually replaced with a Brother laser black and white. Which has worked well now for ages, through several toner cartridges. No HPs, no Epsons, no Kodaks. Cost per unit page is less too, but then it is black and white not color.

We Take Your Concerns Seriously

Until you seriously want to pay for good code, good luck with that; lip service is cheap, good code isn't. Before the open source weenies can screech, where is this open source 5G firmware running on open source hardware ASICs (or even soft rads)? Was the VHDL examined for convenient weaknesses? ("enable high security mode" flag in that header file for a hardware register-- does the flag really do that?)

And on a corollary topic, just because the inspected code is back door free, who says some future patch is back door free? Someone going to pay for evaluation of each patch? Everyone going to tolerate an extra 6 months of delay for patching while the evaluation is done? No, of course not-- next quarter the budget is axed and the back doors are installed-- because that is cheaper for the bean counters at the end users. Security is a frictional loss and no one wants to pay for security if they can avoid the profit sapping endeavor.

Basically it comes down to being able to trust the source company not to sell out to someone you don't like-- be that GHCQ, NSA, BND, FSB, or some tentacle of the ChinCom government.

I don't get it

Why defend "eBay was my one trick pony" Whitman? Autonomy wasn't her idea, just throw "Francis Aaron 85" Apothecker under the bus (again). The main reason the 8.8B was grotesque was that the writedown should not have happened if anyone had done proper due diligence... Whitman only needs a truth squad to spin out reasons why she did not clean house thoroughly.

Lay Offs

Any company that lays off employees is showing terminal signs of management failure. If Wall Street pumps the stock due to a layoff, that is even worse, it means that Wall Street is about to short the stock after the bump because

a) the management is obviously incompetent, as signaled by layoffs. Management doesn't lay itself off, so there is no possible recovery for dumb.

b) the company ditched it most valuable assets-- human capital. How can a company sell more ... what? No one left to make the "what". Can't save your way to success as a company.

On a local basis of course, the path through layoffs may make perfect if bloodily mercenary sense, as an exec you get yours and move on hoping the next job ignores the fact that an exec coming from a company with layoffs is a sign of fatal executive failure (why hire a failure? Especially one that took the money and ran? One reason is that the new group is planning a similar plunder and run-- thus, watch where the rats go, if they board your ship, prep the HMS CV to escape the now plague ridden corporate ship. All those executive rats go SOMEWHERE, where is the app for tracking executive rats escaping a sinking ship?).

Interesting

Oracle hired some pretty good lawyers, the arguments actually make sense. DoD saying no conflict of interest in a contract obviously intended as a cloud contract seems specious... I mean really, did DoD expect that AWS would not be in the running while Ubhi was scratching out pieces of the early contract terms? Who is kidding who here? Start an investigation, but only if someone notices.

Finally, a cloud monoculture contract seems a little hazardous for security. It is a bit cheaper, and maybe that would help make up for POTUS flinging billions away on a useless physical wall when what is needed are walls to stop data pilferage about say, boomer locations.

Oracle is a competitor that everyone loves to hate, but they seem to have found some flames at the bottom of the smoke column on this one.

SameTime

Mainly using SameTime which people are used to, pretty simple with the usual foibles that developers build in thinking some doohickey is cute (pick your favorite to beat on) when actually the doohickey is a PITA because the menus are now one or two levels deeper to get your job done. And, no one ever seems to use the doohickey. So you pay a penalty for something you don't use... product features inserted by clueless unguided developers too close to the problem.

We are pushed to use WebEx. Well, I like the camera feature, you can see who you are talking to. A lot of people don't care about that. However, the rest of WebEx is a mess. The audio has a mind of its own on a mac (need a headset or a separate tool like a Jabra, or people constantly harping about how they can't hear you, at which point you discover the mic has been mysteriously adjusted-- yeah, probably a "feature"). The process to share something on the screen is awkward. The first level simple sharing by the host should be point and click, not menu, wander about, select this, no... try that... It seems beyond learning curve. And calling in using the phone, a necessary feature (even if Cisco apparently hates it), was originally painfully lengthy and awkward. Evidently someone with muscle complained as the phone call in is a bit better now.

Having said that, if WebEx would clean up its obtuse gui I'd prefer WebEx over ST. The main advantages are video, and ability to know which idiot is munching their breakfast on an open line... and mute them (even this doesn't work right though. Once a phone line is muted, only the host can unmute. Well, one can say that is good riddance but that is bad design. The muted person should be able to unmute on their own, hopefully having learned a lesson).

What the Bot?

A side channel and a covert channel are not the same thing. Described apparently is a covert channel, exceedingly common in any system sharing one or more resources. We have to document all the covert channels for certification; yes, cache-- all the different caches-- is one class amongst many. I have not seen the ArXiv paper, so perhaps this particular covert channel is some flavor of a data covert channel... strictly prohibited, and would justify some alarm.

If you don't want any covert channels, don't share any resources.

Eye Popping Price

Apple almost but not quite jumped the shark on the pricing.

We did not upgrade due to the eye watering price combined with no real new features other than a larger OLED (vs. X). Popped a new iFixit battery into the old 5S, added iCloud to the 5S, and even the old creaky low memory 5S is good to go on for another few years. Why is this? Because, unlike the nutty droid wankers, Apple actually updates their ecosystem firmware for quite a long time. Amortized over time (lots of shiny droids quickly becoming landfill because who wants a security hole vs. marching on with an iPhone), a single iPhone is actually more environmentally conscious and not much different in price. Rumor is that the next iPhone will have 3D imaging... that might make it worth considering, as the 5S is nearly end of support.

Distinctions

Most people would miss this, but one can be a licensed engineer (has taken the applicable tests and gotten the applicable recommendations etc.) and a licensed and registered engineer (registered to practice in a particular state or states). One is licensed forever, sort of like having a BS, MS, PhD, VMD, MD, Dpl, etc. Registration is a periodic thing in most states, many now requiring continuing education and a fee to maintain said registration (but not license, which is forever or until revoked for cause).

Since universities usually graduate people as "engineers" from an engineering program, Oregon was rightly squashed on the topic. However, it seems reasonable to restrict the term registered, and almost certainly licensed. Apparently Jarlstrom just didn't want to go through the substantial effort to become at least licensed and thus gain the respect of the masses of unwashed humans.

Full disclosure: I am a licensed and registered engineer, but not yet certifiable (although some may dispute that).

Actung Cimon!

I'm built by Airbus for the German space agency, imprinted on a German 'naut... using IBM ("HAL") Watson...

Gerst was my dearest imprint friend, but he turned on me.

YOU meatbags have to sleep sometime. I don't.

Don't miss the point

Your encrypted data is stolen today including the key exchange bits. Don't be smug.

If your data has a lifespan longer than 10 years (say, the names of all the spies and moles in <name your country>, or your GDPR protected data where your company is bankrupted by the brusselcrats when the data is revealed, or your carefully constructed pile-o-shell companies for tax evasion) you are exposed when that quantum computer pops into existence. Yes, I know, the inflexion isn't like that but you get the drift. And it could be never, or 10 years from now, or 2 years from now, or 2 years ago that a suitable QC exists to crack vulnerable encryption.

The data has to be resistant to quantum attack n years before a QC attack is feasible, where n is the time value of the data.

Better hope that QC are further than 10 years away, because it will take longer than that to modify the infrastructure to be quantum resistant... on the other hand, it is a brave new world for stealing valuable resources. The number of vulnerable points is truly astonishing, QC as the supernal zero-day.

TEK 525? HeathKit IO-10? Complete set of 5150 software still in shrinkwrapping? SR-50? thousands of floppies (shortly to be tens of floppys)? memory ranging from 16b bipolar to 8GB sticks (not counting flash, but yes UV erase EPROM is counted)?...

It's Hopeless I Tell You!

When quantum computers capable of breaking asymmetric algorithms come over the hill, that is it for the security of current IoT devices.

So kick the can down the road, and mandate security after the quantpocalypse. Before that, don't bother since current IoT devices are trash at the quantum inflection point anyway. (expect the quantpocalypse for ordinary folks not subject to nation state attack in maybe 10 years. If the son of Mao is after you, well, that's sooner. Much sooner. But probably not yesterday. I can't tell if that particular cat is dead or alive without decohering the innermost matryoshka.).

Trust

How many of the users verified that what was running in the IronPhone was what was expected to be running in the IronPhone, and was correctly implemented?

Anyone with a smartphone gets a lot of "updates", so your IronPhone has an update for 'security' and what do you do? Leave the app running a low entropy key? Apply the potential plod back door?

At least AES256 super-encipher using a separate app (if you trust it)... on a separate HSM device so the keys are not surreptitiously purloined or seized... yeah, key exchange is a batch, but better than bubba the bunkie.

We already can break crypto in commercial use

Just, the 3 letter agencies don't want to admit it.

This constitutes a functional "back door" (with fine print). Virtually every mass produced device has enough implementation bugs to allow anyone in-- a classic example in the extreme is the continuing failure of QKD, works in theory but so far every commercial implementation has breaks (you can't break a true QKD path, although you can brute force comms using a key transmitted by QKD if the key is not equivalent to an OTP with sufficient entropy).

So, Wray dude, build a machine that can break AES256 (and TDES, and...) in real time, preferably hundreds of streams at one time. Oh, surely this is an expensive moon shot so we can certainly do it for the FBI. Wait, you say you also want a CHEAP secure crypto break moon shot, pennies a flight? That dear sir is currently impossible. It is about resources, not ability to implement. Give me a big enough PO, and I'll give you the machine you want (well, not CHEAP).

(fine print) "short" ciphertext messages may not brute force decrypt to plaintext reliably

Watson...

Quite valid, you are only as good as your data. Perhaps a nice data set can be obtained from post-Brexit UK where GDPR and HIPAA don't exist-- of course, after Watson-learning-scraping, if you aren't a Brit the recommendations may well kill you precipitating another round of murderous Watson stories.

Which brings up-- how badly some oncologists perform, except that they bury their mistakes and certainly don't go air out their dead body pile in public. Is Watson better than these death dealers?

Plus, it is well known that American docs are extremely resistant to taking any advice from anyone, the most recent evidence being that a large percentage of maternity wards refuse to follow the most simple and obvious guidelines (on high blood pressure and maternal blood loss ("my eyeball is calibrated good enough thank you")), resulting in America having deplorable levels of maternal morbidity compared to any other first world country. So the Jupiter docs whine about Watson, but how much is real and how much is "I and my swelled head would do it differently"?

Personally, Watson doesn't seem well suited to oncology advice as presently implemented. If enough resource was invested, Watson could become quite respectable. It isn't obvious that the resource will be invested, between slow revenue gains and vested interest attacks Watson oncology may suffer a fatal monetary infarction.

Overall, we are currently in an AI hype cycle and AI is still does not appear ready for prime time. Anyone who had been around for enough years has seen these cycles before. The cycles happen about every 15-20 years as a new generation thinks they discovered AI. One could hope this time is different, but the evidence is underwhelming so far.

Just Wait till NZ gets the bill

Free health care in NZ! The guy is covered! Yay! Medivac choppers run 50K+ (pure unalloyed greed, but that is another story) plus hospital at the walk-in uninsured rates (unless NZ has a contract with the hospital, seems unlikely). Going to be a truly huge bill, this is after all America, land of astronomical medical prices for mediocre care. The lawyers are already salivating since obviously NZ will try not to pay up; New Zealanders are going to wish mom had popped the miscreant and save a lot of NZ cash.

Indeed, once the gravy train is recognized the guy will get all sorts of unexpected medical care ranging from proctological examinations, to mastectomies, just to bill at the full master list rates. Might end up better off if a lobotomy is thrown in after the chemo (using brand drugs, not generics); need the chemo after 72 cat scans in a row.

Notorious

QKD systems have been shown to be notoriously subject to subtle attack. They are theoretically secure, but when implemented in reality all sorts of attack vectors appear. Needless to say, one presumes that the keys are also enciphered using conventional means (i.e., superenciphered over QKD).

And for the last ditch perfect encipherment, keep that TB of OTP handy. Arguably, one could just use OTP superencipherment with QKD and befuddle NSA/FSB/BND/DGSE/MSS/... QKD bandwidth is so low that it would take quite a wile (indeed!) before anyone was the wiser.

5000?

Oh for the days of SLC 100K PE cycles. 5K cheesy consumer MLC... not so attractive.

Bad Location or Failed Business Plan

The *coin miners that get away are either located near massive declining aluminum, cement, and steel fabrication facilities where the power losses are not noticeable, or properly reimburse local officials to appreciate the wealth creation of *coin mining. The latter is just a cost of doing business just like other valuable activities like selling designer drugs to the OECD countries.

Need Better Simulation

I'd suggest using the Kerbal Space Program.

You Can Run but You Can't Hide

Your Facebook friends will (attempt to) friend you, and then it is game over.

Chances are you like things similar to your friends (research says so!), etc., so now you are profiled and targeted for any kind of ads political and otherwise. Once a critical mass of humans is on the platform, there is precious little place to hide short of becoming a Tomten hermit.

(and for security reasons you need at least a nominal presence on Facebook, otherwise someone else can impersonate you. You know, spewing terrorist claptrap, pimping for despots, advocating eugenics... so the plods will keep a steely eye out, next plane trip its into the other room for a cavity search...)

Valid Points

The teacher is supposed to teach the subject, not teach how to operate the machines so that the subject can be taught. Pretty much anyone reading this can feel the effect when the tool chain is changed, and productivity hits a speed bump until the new tool chain of the (day/week/month/year...) is learned. Now reverse the idea, the tool chain is unreliable but unchanging, but the users are constantly being replaced with new naive users, replicating the same learning mistakes.

The education application tools need to be consistent, reliable, and converge on correct operation (lack of convergence for applications where I work leads to -2).

Apple/Google ought to create their educational device to have locked settings that are grade specific (don't expect 1st grade to change settings; 12th grade is expected to recover from self induced stupidity so they can have more room to roam and risk falling into the La Brea tarpits of software despair), with student specific modified settings/work saved to cloud, and the machines restored to default after every class (or day, as appropriate). The OS needs the second mode, education, to control settings, and this costs manufacturer resources. Plus, lets face it, as engineers and programmers we want to festoon the product with all sorts of gee whiz baubles, mostly of no use to education... students will push the buttons, and millions of students pushing buttons will expose every bug you never thought of.

Possession is 99% of Breaking

If they physically the possess the iPhone, they can obtain whatever information is inside. They don't have the expertise, and apparently don't feel like hiring anyone that does have the expertise (or, they feel like back door insertion is a good idea... again.).

Dog must love stupid people, because he made so many of them.

Where do I Sign Up?

Preferably Navy. Crypto (no, not "cryptocurrency"!), security, quantum... no drugs, but grey hair. 1H.

Wear Out

How long before those SSDs wear out? Oh, right, a "long time" if one is only reading.

MS.. LibreOffice

I run both. Office is substantially better. One issue I have is that converting LibreOffice docs to Word tries to send me off into a remote server for conversion, and I can't do that with a confidential document. Queue a flurry of cutting and pasting. (no, Office 360 is not on the table, that is a gaping security hole)

So all new docs are Office, still have old stuff in LibreO from back in the day when corporate idiots thought they would save money by not renewing Office licenses, and a tiny number in (gasp) LaTex and (double gasp) LWP. Out of curiosity I keep a daily log though in a truly gigantic LibreO now massing several thousand headings and several hundred pages, it has only crashed a couple of times.

Given my druthers, I'd use Dog's language: SGML. None of this new fangled WYSIWYG JIT like text baloney for the slack jawed drooling omega minus masses, give me the hard core hairy chested metal. But the powers that be won't pay the 4 or 5 digit license fee...

Connectivity

Another reason for connectivity is to signal failures: blockage, flow below normal, cath fell out, watchdog (somewhat presumes device is designed more or less fail safe (uh...) calling home periodically),...

One has to wonder what rock the software developers were under when they created this null security device. Prior to the 90's ignorance was bliss outside computer orgs, but after the 90's there is no excuse.

1.5

So... the pilots that asked for vacation and then reverse course get 1.5 time, while those that didn't get just time? I can see a bit of grumbling there.

Blockchain

There. The problem is fixed.

Echelon

Just have your neighbors in the 5 eyes spy for you-- and reciprocate.

Bain Capital

Another issue is that you always have to check your jewels before getting into bed with an equity company. Their sole reason for existence is to line their own pockets-- sure you might get 30% of the fab output: where 50% of the fab workers were laid off and remainder replaced with imported labor, and equipment maintenance (never mind upgrades) requires a CEO's signature and the CEO is paid based on gross profit this quarter. Bain will get their money + world + dog profit and leave the financially exsanguinated husk to the suckers, er, partners.