Posts by Lysenko 986 publicly visible posts • joined 23 Jan 2015
Funny, you'd think highly-paid Google and Microsoft staffers would've heard the old line about security through obscurity.
The entire HFT (High-Frequency Trading) industry depends on exactly this. The idea that an algorithm should be impossible to game, even when you know the implementation, is specific to cryptography because that's what those algorithms are supposed to do. Other algorithms have other purposes, which in the case of HFT, means making a profit relative to other peoples HFT trading systems. That means any HFT algorithm with a publically understood implementation is useless by definition because as soon as the opposition can predict your trades precisely they will be able to anticipate and negate them. The same principle applies to the recipe for Coca-Cola etc.
But Labour MP Martin Whitfield questioned this apparent dichotomy: the committee had a lot of evidence saying that handing over the information on the algorithm meant someone could game it – but also that the systems were so complex no one understands it.
There is no contradiction. Most people can cross a road and many of them can "game" the parameters of that, right up to playing chicken with oncoming vehicles, but almost no-one could tell you how they did it. The brain is processing thousands of vector calculations in milliseconds and fully integrating those into movement instructions in a continuous feedback loop.
However, it isn't magic - all those inputs and calculations could be enumerated and documented for each specific instance - but would that help anyone to understand how to cross a road? Would anyone short of a physics student even be able to follow the algebra? There is nothing contradictory about a process being too complex for a human to fully understand but also susceptible to directed human manipulation. Merely breathing illustrates that, let alone standing up and crossing roads.
Tell me, in a firefight which would you prefer to have, a drone or a gun?
I would prefer to be carrying an HK MP-5 with full auto capability. Also a few claymores and grenades in case I get bogged down behind cover - oh, and those would include smoke/gas grenades (obviously) and the full kevlar set with ceramic inserts goes without saying. However, since I'm about to walk to the shops, not storm Aleppo, I don't actually need any weaponry - we don't have the disadvantage of the second amendment so we're about 160 times less likely to get involved in a "firefight" compared to you.
We saw a small temperature wobble for the 20 mins prior to the failure. I wonder if they were on UPS ?
That isn't uncommon. The servers are on UPS but the CRAC units aren't so temperature trends upwards until the generators kick in. That's the theory, anyway. I've never known anyone actually perform a controlled test to see what happens if the generators fail - does the UPS power run out before thermal overrun cuts in or not?
I have seen it happen for real though. The "cold aisle" input temperature hit about 80 degrees before the monitoring equipment comms failed. God knows what the peak was (dark site - no humans present).
Every datacenter I've ever dealt with does weekly on-load generator tests, and UPS failover tests.
None of which tells you that you're safe against a breaker cascade as the whole A load switches to B and idling PSUs in blade chassis reactivate etc. There is no substitute for randomly[1] flicking breakers, PSUs and HVACs on a routine basis to verify TIII resiliency and DR will work as required. Unfortunately, that requires a degree of testicular fortitude entirely absent in facilities staff (other than perhaps those actually angling for a P45) and so this sort of thing keeps happening.
[1] It has to be random otherwise Ops will shift loads to other infrastructure to protect their uptime metrics and thus invalidating the results. Idling equipment draws less power.
MANOC 5 is supposed to be a Tier III facility which means (and I quote):
"N+1 fault tolerant providing at least 72 hour power outage protection"
If a single HVAC failure took out the DC that means they're either lying or else the secondary and tertiary power supplies plus the UPS and generators were all simultaneously both defective and not known to be defective. Even with negligence and incompetence bordering on deliberate sabotage, I don't find the latter option credible.
Still, like I said - this is truly a boon for all those data-free companies out there!
While I mostly agree with you, you are missing the fact that some companies have a lot of data that are neither confidential nor anything to do with people. We have systems that process, store, and analyze tens of thousands of temperature, humidity, and power readings per site, per hour. There isn't a single GDPR or other compliance relevant datum in there and no-one really cares whether the data is secure or not (in the sense of unauthorised read). What we are interested in doing is deriving models, correlations and graph functions to improve predictive accuracy and some of that is processor/RAM intensive.
If you have data, you need a sysadmin.
Not necessarily.
Was going to applaud this until I discovered it was just bribery to stop scientists going on about environmental damage.
Well, since yet more CO2 readings aren't going to change a damn thing (particularly in the USA), it probably makes sense to concentrate on establishing outposts elsewhere. Ironic really, since much of the USA is in the global warming firing line while Russia (meaning Siberia) and Canada are set to become ideal temperate destinations.
If we're being pedantic, there's no such thing as an "interpreted language", there are simply interpreted implementations of languages. Interpreters exist for C and there are compilers for JavaScript buried in the bowels of JS VMs (two of them in the case of V8).
But some facilities to remove code from the final output are usually welcome.
They usually exist as well, but it takes more work to use them. For example, if you're using vanilla JavaScript then there's no ifdef, but if you're using it with a compiler (transpiler) and a linker (webpack) then you can use ifdef-loader. Python has ifdef.py. I'm sure you can do something similar with Ruby etc.
The issue is really that ifdef only makes sense if there is a "build" step and with an interpreter that isn't automatic so pre-processor functionality can never be as consistent.
Possibly on-screen keyboards. If you have a touchscreen laptop, keycodes might be generated via three different mechanisms (physical keyboard, touchscreen soft keyboard, touchpad operated soft keyboard) and you might want logging to ensure they are all working consistently.
It's supposed to throw a meaningless bone to "the provinces" to distract from the vastly disproportionate spending inside the M25. After all, we wouldn't want anyone looking too closely at the £15Bn bung (Crossrail) to the City of London financial sector, which directly disincentivises the relocation of business to more deprived areas like ....errr ... Coventry.
...some of the stuff I saw when I was is Gov't service but here goes:
On a related note, I remember one govt project about twenty years ago that had failed twice (the immediate predecessor attempt being canned after burning £11M) using an early "agile" approach that revolved around rapid releases and continuous user feedback. The problem was the users weren't entirely stupid. They knew the new IT system was an integral part of a wider programme of "rightsizing" (aka "Redundancies") so they weren't exactly motivated to see it succeed.
We did succeed though. By performing time in motion studies of what the users did, performing top-down systems analysis and then implementing the system to do the job as it needed to be done (not how the users thought it should be done). Forty percent of users redundant inside 12 months. Result. Just not the result the users would ever have signed off on.
Michael Cote will be speaking at our Continuous Lifecycle London 2018 event. Full details, including early bird tickets, right here.
... and there it is. Perhaps you could post a link to the author's GitHub repository so we can verify his credentials to lecture about coding? Or how about an overview of the last development project he personally managed to successful completion (preferably in an environment with compliance/regulatory/safety aspects)?
I must re-emphasise the personally managed bit because we're all familiar with George Bernard Shaw's insightful dictum ("Those who can - do. Those who cannot - consult") and I wouldn't want to write someone off as a PowerPoint jockey unfairly.
Rogue PI's ... as in Raspberry Pi SBCs left open on the internet.
I'm sure lots of them exist out there based on the number of bots trying to SSH my servers using "raspberry" and "pi" as credentials. Mostly from China (expected), India (expected), USA (expected - would you like a side order of Fail2Ban with that Mr NSA) and Italy!???
Evil Rooskies seem to leave me alone for some reason.
Then, when the Moronistry of Defence came to review the contract, yet again they went for the lowest tender, this time it was Crapita who were the most mendacious. Crapita waltzed in, planning to rinse-and-repeat the HPE effort after using the know-how people to build a new system (as you say, shouldn't take long) before sacking them...
I know nothing of this fiasco but I do know that 16 years ago Crapita won the outsourcing bid for the Department of Employment system that ran part of the Youth Training Scheme. The existing system worked and was built in house, so Crapita assumed they could just TUPE over the staff who wrote it, leech the domain-specific expertise and then offshore the system maintenance. Nope.
Many essential staff refused to work for Crapita, even on secondment and resigned in the face of ultimatums. As a result, the system was rendered unsupportable[1] and procedures crashed back to paperwork for a couple of years (at great expense to the taxpayer, not Crapita).
[1] Governments meddle with the rules affecting systems like this with every budget so just keeping the system going in a fossilised state is never an option. Budget announcements are confidential and frequently immediately active so front-line systems have to be capable of implementing major changes at the drop of a hat while still supporting X levels of old rules that govern all the prior contracts. That means (or meant then) that you need people who hold most of the logic and codebase in their head. There was enough redundancy in the workforce to cope with flu, car accidents and alcoholism, but not enough to survive a pandemic like the "Crap Death".
I'm serious. I don't pay much attention to the recruitment landscape. Is the above a solved problem now? There is an oversupply of IT professionals and companies are snowed under with qualified applicants?
Because if the answer above is negative - why is anyone still working for unreliable backstabbers like IBM and HPE? I bailed out at the first sniff of being TUPE'ed to Crapita nearly 20 years ago. Even then working for a sleazy outsourcing firm was obviously a recipe for being ruthlessly exploited before being knifed and dumped in a ditch.
PHP is worse than VB as a language, I'll definitely grant you. But the code written ( while usually not internet exposed ) would have been plenty of awful.
The only thing remotely close to PHP was ES3- era JavaScript. The language was catastrophically bad, but it was possible to do useful things with it. How did the JS world deal with that without completely breaking backward compatibility? Transpilers. You get software to deal with the language bear traps so that developers can use decent languages like ES6 or TypeScript.
How did PHP address the same problem? Add new APIs and libraries while retaining the old ones. You retain all the horrific old junk with an extra side order of confusion. As a result, what gets used tends to be whatever Google first trawls from StackOverflow. No other language has ever started with such broken fundamentals and then fought so heroically to prevent them being repaired.
I'm sure if you look pre .NET at VB5 / VB6 code you'll find the same horror show.
No, you won't, if for no other reason than most code of that era wasn't exposed to the internet in the first place. But that isn't the only reason. A quick glance at the VB3 standard library, even before "Option Explicit", reveals a concept largely unknown in the Personal Home Page world - consistency.
You would be better off going after PowerBuilder or some other dodgy old 4GL, and you would still be wrong. PHP is uniquely bad. Nothing else comes close or has come close in the last thirty years.
Banks have been slower than other sectors in adopting modern coding tech, partly because of the need to support legacy apps written in Cobol but also because of complex coding environments.
They were wheeling COBOL guys out of retirement homes for Y2K. What are they depending on this time? Exhumation orders?
Banks don't need to continue to support creaky old legacy systems, what they need to do is devise a strategy (OK so far), on-shore or in-house development (hang on a minute!) and increase dev budgets significantly to pay for it (BURN THE HERETIC!!).
I watched the same movie 20 years ago. This is just a franchise reboot. I expect the story to be remade again with a contemporary cast around 2040.
... and labelling it DevOps won't change that.
Shovel [redacted] as fast as possible down the continuous integration pipeline, pausing only to check it isn't toxic enough to trip the unit tests, then get your users to do your real QA, ask forgiveness rather than permission, then brag about your mean time to remediate metrics? Get the Devs to configure AWS security because Ops isn't a specialism we need any more?
Unfortunately, we know exactly what DevOps means.
There's nothing remotely new or innovative about storing metadata in a database to speed up file searches. In Linux terms, [find] does tree walking and [locate] leverages an indexed DB to do the same job. Filesystems that incrementally [updatedb] in real time (as against batch mode) aren't new either.
Now, I'm not saying these guys are "Emperor's new clothes", but leading with trivial features and ridiculously brain-dead tree walk time calculations doesn't do them any favours. There were indexed file searches in the early '90's on NetWare. How about covering something a bit more impressive, like their capability (assuming it exists) to dedupe files that differ only in terms of metadata?
First, relocating the data to a US server does not violate privacy, because they're not showing the data to anybody yet. Then, revealing data on a US server to the US government happens outside of Europe, so Europe law does not apply?
Extraordinary rendition of data, basically. Given that the USA has admitted using precisely the same logic to facilitate torturing people without the courts finding fault[1], I don't hold out much hope that they'll suddenly have a Damascene conversion faced with a data privacy issue.
[1] That breaking even the most basic laws via jurisdiction shopping is perfectly fine with the US Judiciary is clearly illustrated by the fact that Federal prisons are not currently playing host to half the Bush era CIA.
While not disagreeing with the general idea behind your post, not all systems are equal and in some cases (not necessarily OVH's, I do not know) working on live systems is unavoidable.
I completely agree. I "beta test in production" regularly and, as expected, I regularly take down said systems because of bugs and mistakes. The difference is, those are non-critical systems and I send out messages several days beforehand saying that the system is scheduled for maintenance and should be expected to be offline both during the maintenance period and immediately afterwards because work might overrun (translation: we might cock it up or encounter an unforeseen problem).
I knew of a heart-lung machine repairman, whose job was to fix the thing when it broke in-theatre. Apparently the guy was an ace with a soldering iron.
High-pressure job. I bet he wasn't handing out 99.98% patient survival guarantees though. There's nothing inherently wrong in working with no safety net, it's just unprofessional to act all surprised when you eventually come crashing down and break something. If they advertised: "OVH is a Tier I service provider with DR provisions as limited as our fees." then I would have no problem with that.
Are you seriously suggesting they build three backbone networks instead of one?
Your approach works very well with servers. It doesn't work for networks.
There's no difference. Tier IV is defined in terms of overall system resilience and ability to mitigate TITSUP conditions. It's irrelevant whether it is the network or the servers or the HVAC that goes down. All critical components must be fault tolerant and/or redundant. If that means you need to string a whole new fibre pipe across the Atlantic then that's what you have to do.
However, repositories of cat photos don't exactly justify Tier IV, so I would never expect most businesses to invest in that. What I do expect them to do (as I noted at the outset) is to say what service level they're aiming for and not act all dazed and confused when their Tier II (or I) infrastructure crumbles beneath them. You expect that with Tier II. That's what defines it as Tier II. That's why it's (comparatively) cheap.
Maybe you would like to stroll over and show them how it's done?
Evidently, quite a few people here could. You do not go around rolling out patches and upgrades like this on primary production systems. You have a staging environment, which is also your tertiary failover system. Once you're happy that staging is updated and apparently idling happily, you temporarily promote it to secondary and then do a failover test (which should be a routine, monthly event) by taking the primary offline. If things go TITSUP then the regular secondary system cuts in and you immediately bring up the primary back up again and investigate at leisure.
The point is, you always have three levels of redundancy and you always have two systems in known good (as in previously production tested) configuration. This isn't rocket science. It's a simple, sequential procedure. It costs money of course and it may not represent appropriate ROI for every business but in that case, say so and don't pretend to act all surprised when things crash and burn - it just looks like incompetence rather than the commercial risk/benefit/cost calculation that it (hopefully) actually is.
Hardly earth-shattering in any event - show me somebody who doesn't have traces of porn on their phone or laptop and I'll show you a liar.
Not only non-Earth shattering, not even remotely relevant. Even if it were an established fact, it would be grounds for internal gross misconduct proceedings which, at most, could give them a defensible reason for summarily terminating his employment ....... oh.
There's some subtext here. The case looks weak as hell in the first place and attempted smear tactics like this can only influence the Judge in one way - against the complainant.
It's simple physics. Once a death spiral is initiated the centripetal forces cause ever more staff and resources to be flung off into the void, transferring angular momentum to the spiral, thus accelerating it further and increasing the peripheral centripetal forces until you finally reach the "MBA Singularity" - a region of compressed stupidity, greed and incompetence of such incredible density that no thought or common sense can ever escape.
If you firewall the camera then that cannot happen anyway.
...and if you *don't* firewall the camera already you've got a dodgy old version of Linux/BusyBox on the open internet with (at least in some versions) a hard-coded root password. These things are almost all RALink (MIPS arch) SBCs with a webcam core on the USB port. DDoS or spam zombies just waiting to be recruited, aside from the privacy implications.
On the other hand, they're perfectly fine on a closed LAN streaming to a Raspberry Pi type[1] SBC which motion detects and encrypts before uploading to the 5Gb S3 bucket AWS gives you for free.
[1] Not an actual Raspberry Pi. Rubbish Ethernet. A Banana Pi or an OLinuXino A20 or one of the Nano Pis.
... yes, it's a WinPhone and stuck on V8, but there's damn little I care about that won't run on it and it still stuffs everything else on battery life and signal strength. The rest of the time I use a WileyFox. North of £500 for a phone isn't happening - period.
Well, not quite. I do have an iPhone, because sometimes I need to check software on the thing, but that's a business expense. It lives in a drawer, gathering dust along with the Blackberry Curves and assorted other junk (which reminds me - it hasn't been powered on since August - it probably needs an OS update or seven).
A specific selling point of the Cortex M is that (because its interrupt handlers use C calling conventions) you can write bare metal firmware for it without using any assembler whatsoever, actually.
You may not have to write much of it but you certainly need to read and understand it. Try diagnosing that without knowing assembly language.
almost nobody needs to know asm any more
The "IoT" hypefest has clearly passed you by. Try building one of those billions of those battery powered sensor nodes that the (near) futurists are predicting without a solid understanding of ARM M0-M4 ASM. You can do a lot of it in higher level languages like C of course, but you'll still need to visit the basement from time to time. Java? .NET? or (I'm about to lose a rib here) functional languages with stack busting recursion all over the shop? Hahahahaha.
AI *might* be able to start writing general purpose code reliably a few decades after it completely masters synthesizing SQL from natural language which is something it currently isn't even remotely close to achieving, despite the query space being precisely defined and constrained by the database metadata and decades of precursor work on QBE (Query by Example).
It's not really right and wrong but almost Good vs Evil.
Ridiculous, isn't it? As if American party political discourse would ever degenerate into such a ludicrous dichotomy. They're only a few steps away from accusing Mr Pai of being "Crooked" or cheerleading mindless slogans like "Lock him up!". Obviously, this is absurdly antithetical to the reasoned and fair-minded debate that American politicians and their appointees universally and rigorously adhere to.
And the root problem there is the ridiculous notion that campaign contributions are "free speech" and that corporations are people too. This could all be solved by only allowing registered voters to donate, and limit that to $1000/year. No more "legal" buying of politicians.
What I've always found odd is that a country obsessed with capitalism seems to be completely oblivious to the fact that it is incompatible with democracy. Unless you have price controls (hard campaign spending limits) the price of any asset (political office) will continually inflate in line with what the market (aspiring politicians) are willing and able to pay. The entire process is reduced to an auction amongst plutocrats.
The cognitive dissonance required to remain in denial of this obvious fact and maintain the delusion that the system is democratic is frankly astonishing. How far back does one have to go to have the option of voting for a President with a personal net worth of <$1M? Has there ever been a President who was not a millionaire in 2017 dollars?
Yes. When using a Huawei charger the phone can negotiate the charging voltage over the USB data lines thus nearly doubling the power transfer from 10W (5Vx2A) to 18W (9Vx2A). A conventional charger (or data cable) won't respond to the negotiation sequence so charging will proceed at 5V as normal. The same applies if you plug in a wireless charging dongle.
Instant Fail
"The M10P uses Huawei's proprietary charger"
I have a 9 and I love it, the Standard USB C 2 amp charger gets it charged up pretty damned .
But anything that mentions "proprietary" quickly becomes a PITA...
It's only proprietary in respect of the fast charge feature. It will still charge just fine over conventional 5V USB C, but with its own charger it can ramp up to 9V and double the wattage.
Farage will be busy planning how to live on his MEP pension of GBP73K a year (possibly paid in full value Euros if/when Sterling tanks?). Plus presumably ensuring his children have EU citizenship by virtue of his wife being German.
Indeed. You have to admire him in a way. He pulled off one of the most spectacularly successful acts of treason in the last 100 years. They always thought that Philby, Burgess and Maclean were not the whole story, but no-one foresaw a sleeper agent playing such an audacious game over such a long timeframe. Credit where credit is due: as traitors go, he is in a class of his own.
...and that's an EU court. Thanks to Forage and his merry Brexiteers, HMG won't be encumbered by nuisances like the ECJ for much longer. Everything May, Gove and Boris dream up will be the unquestionable law of the land and there will be nothing anyone can do about it (they're committed to repealing the Human Rights Act as well of course).
So, no need to get excited. They'll just stall for a while until the Brexiteer vision of unfettered Westminster dictatorship is achieved and the law can stand unchallenged as it is. Maybe it'll even be extended. There's no need to pussyfoot around worrying about checks and balances when you've got absolute power, free of all oversight.
First prove that there actually is an assault on national infrastructure. Or do you mean shoot first and ask questions later?
Arguing that a cable in mid Atlantic or elsewhere on the high seas is "national" infrastucture might also be difficult.
Not really. Under Article 101 of UNCLOS[1] interference with an undersea cable by a non-state actor can be regarded as piracy and dealt with in exactly the same way as Somali pirates. If it is a state actor then it is state-sponsored piracy which, without an authorizing resolution by the UN Security Council, constitutes an act of war. Either way, there's no legal problem with using force to protect the asset and apprehend the perpetrators.
[1] Piracy consists of ... (a) any illegal acts of violence or detention, or any act of depredation, committed for private ends by the crew or the passengers of a private ship or a private aircraft, and directed — (ii) against a ship, aircraft, persons or property in a place outside the jurisdiction of any State
They mean customers can be charged for any system that connects, even indirectly, to data stored on SAP systems.
How the hell do they get away with that? I'm pretty sure some data on some websites originates in SAP via several layers of indirection. The company needs a per-seat client licence for the entire internet?! I thought not. So in that case (assuming there's a publishing exception), why can't you just dump the data into web pages (encrypted if necessary) and then screen scrape it back out again as many times as you like? They can't just be saying that they "own" any data that happens to be incorporated into one of their DBs because I know that can be demolished in court.
Yes, it is. Much like Telnet vs. SSH, creating a sh!tstorm of such biblical proportions that someone screwing up is almost guaranteed to be comprehensively hacked in seconds is clearly the only way to get the message across to the imbeciles responsible for these daily data leaks.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
