275 posts • joined 4 Feb 2015
Re: A complete wipe?
Once the system has been compromised, what script are you going to run that guarantees to restore the system state correctly? How can you trust anything that the OS tells you, once you've been infected?
It's not a Windows vs [U|Li]nux thing at all, it's just common sense, regardless of the operating system.
Re: What price security?
Because developers always want to work with the latest shiny-shiny, and they tell their clueless PHBs that the best way is "cloud", and it all goes from there.
I've known several developers make technical decisions purely on the basis that the experience gained would look good on their CV, without any regard for the impact of their choice on the organisation itself.
Partly playing catch-up?
"See historical and real-time performance charts for cluster-wide CPU/memory/network usage and storage IOPS, throughput, and latency, then drill in to see metrics for individual VMs, volumes, and drives."
Surely there's lots of tools that do that already, though?
I use ServerInternals (www.serverinternals.co.uk) because I can customise what it displays, but there's lots out there.
"We are laser-focused on executing against our plan to achieve $1bn+ in revenue this year and marching steadily to profitability in the near future."
To quote a dour Scotsman - "Revenue is vanity - profit is sanity"
As a wise man once said...
"All repairs tend to destroy the structure, to increase the entropy and disorder of the system. Less and less effort is spent on fixing the original design flaws; more and more is spent on fixing flaws introduced by earlier fixes. As time passes, the system becomes less and less well-ordered. Sooner or later the fixing ceases to gain any ground. Each forward step is matched by a backward one. Although in principle usable forever, the system has worn out as a base for progress."
Frederick P. Brooks, The Mythical Man-Month
"The money spent (not just on paying out the points, but on running the whole system) obviously must come from somewhere,"
Most of it comes from the retailer selling information about you.
For example, if you've been buying BrandX cereal for the last two years, and the Kellogs run a TV commercial, do you change to Kellogs? Do you switch back once the commercial stops airing? That sort of information is very valuable to Kellogs.
While you may think that the card is anonymous, it contains a huge amount of information. Most people shop locally, so the supermarket will know (roughly) your address. The supermarket can, even without you telling them, make a good guess of your age, the age and number of children and whether you have a partner or not. A twenty-something single male makes different purchases from a mother with two small children, who again makes different purchases from a retired couple, and so on.
The reason the retailer can afford to give you money back is because you are the product being sold, and you're being sold for more than you're getting back in discounts at the till.
Weasel words as ususal
"will always ask your permission to even store map data"
is not the same as
"we will not store map data unless you give us permission"
Re: A better solution
Not sure how it works in the US, but in the UK you can be locked up just for being suspected of a crime - "remanded in custody" it's called. Sometimes the person is subsequently found no -guilty, and the net result is that a person goes to prison for a period, even though they are never actually convicted of a crime.
The Guarding Dark
Basic accountancy problem
"For 2013, it paid just £20.4m on sales of £3.8bn – an effective tax rate of 0.5 per cent."
is totally meaningless, since in the UK you pay tax on profits, not revenue.
"If you're paying for a Windows Server license, why would you only use it for a short period of time?"
If you have DataCenter edition of Windows Server, you can run any number of Windows-based VMs on it, without paying for a separate licence for each VM, so bringing up a Windows VM in that situation for a short time is not technically "free", since there's cost to the original covering licence, but there's no incremental cost for another machine for a short time, so in that sense, the extra machine is free.
"If someone wanted to spin up a server to test something quickly, that's when they'd use Linux."
Not if you're testing Windows software...
Part of the article is missing
The missing part is the bit where it says that Google were asked to delete all the potentially illegal data that they obtained through the project, and to allow independent oversight to ensure that this actually occurs.
I mean, that must have happened, surely? Right?
Re: Security 101: If they're sitting at the computer...
" I'd require some convincing that a std (desktop) Windows can be locked down well, and accounts fully isolated, by a moderately competent user.
I think you're making the classic mistake of conflating the operating system with the applications that run on it. It's perfectly possible to lock down a Windows desktop in the way you describe, and there's very little they can do to mess up anyone but themselves.
The problem comes when someone logged on as that user wants to use an application that, since it is very badly written, has to run with administrative privileges. That is a huge problem in the world of Windows software, but it's due to developer laziness, not a fundamental problem with the operating system itself.
They don't seem to practice what they preach...
Puppet 4.10.1 - Released May 11, 2017.
Puppet 4.10.0 - Released April 5, 2017.
Puppet 4.9.4 - Released March 9th, 2017.
Puppet 4.9.3 - Released February 27, 2017.
The Puppet developers are producing one release a month. The article (presumably quoting from the Puppet report), says:
The "lowest" performing IT organizations are deploying software between once a week and once a month
I'll draw my own conclusions from that...
I have goals, too..
My goals are:
1) Marry Cindy Crawford (Gemma Arterton is an acceptable second choice here)
2) Be a multi-millionaire
3) Live on a private island in the Caribbean
Note to Chris Wanstrath: Anyone can come up with some goals - that's not the same as having realistic goals, or being certain you can achieve them.
On a different note - there's almost three times as many repos as developers? That doesn't sound like it's being used much by teams, but mainly by individuals with multiple projects each.
Re: Really a power failure?
Possibly not left by a disgruntled employee.
The original WannaCrypt worm ran around encrypting files, but a more stealthy variant could have installed itself and simply waited until a later point in time, or for instructions from a command and control centre somewhere.
Never mind $300 in BitCoin to ransom a few Excel spreadsheets and a couple of PowerPoint presentations. How about $ <really big number> or no BA flights take off?
A Trick From The Apple Playbook
Well, and lots of other businesses as well...
1) Put something on sale
2) Immediately remove it from sale, claiming stock shortage due too much demand
3) Get lots of free publicity about the fact it's now on sale, with the implication that it's really good
It's not the CO2 that's the problem...
.. at least in the immediate vicinity of the car.
The emissions regs aren't just there to limit CO2, but also all the other stuff that comes out of the exhaust pipe. It's the particulate matter (PM10 and PM25) and NOx that cause the problems for the person on the pavement next to the road, and it's those emissions that rise drastically (like 40 times higher) when the car thinks it isn't being tested.
That's a bad idea
If it had been me I'd have tried to mount the drive and see how much could be deleted from it before it all fell apart.
If you're in the UK, that's a really bad idea. It counts as unauthorised access under the Computer Misuse Act, and gets you 12 months in prison and/or an unlimited fine.
CPU Frequencies and Quality
Making silicon chips is not an exact science. For an 8 core chip, due to the small defects which will always be present, some cores will be able to operate safely at higher frequencies than others on the same chip.
It's not that Intel's quality is bad - it's just that no-one has worked out how to make absolutely 100% pure silicon, slice it into wafers, and then put several billion transistors on it without making a single error.
"For permission reasons browser auto-update features rarely work in Linux"
But surely a daemon (running as root, but not doing any actual browsing) could do it? I don't see it as Linux permissions problem - it sounds like a "the developers couldn't be bothered" problem.
On Windows, Chrome and Acrobat Reader both manage it without requiring that the desktop application that the user actually interacts with is running with administrative privileges.
Re: Was about to say the same thing
"Also it should be the company that has to prove that any of the above was legally sent"
To mis-quote a certain Horace Rumpole, that breaks the Golden Thread of British Justice, and while I can understand your position, it's the thin end of a very large wedge.
Driving above 70mph on a motorway is illegal in the UK. I don't want to be in a position where I'm pulled over by the police, and it's up to me to prove that I wasn't exceeding the speed limit. That's a mild example - I'm sure you can imagine much worse ones.
It always has been "innocent until proven guilty", and it has to stay that way, whatever you think of the offence or the people perpetrating it.
Isn't he at least two levels out?
"It doesn't get any smaller than a single atom"
Well, apart from all the protons and neutrons that make up an atom, and all the quarks that make up the protons and neutrons...
Store a bit on a quark and then I'll be impressed! I'm sure our El Reg correspondent could find strange but charming way to spin that announcement...
But seriously - top boffiny! Drinks all round!
Windows Server ported to Qualcomm's ARM server chip. Repeat, Windows Server ported to ARM server chip
Re: So you make the motherboard smaller...
The drives might actually be hot-swappable. Given their location, you'd need to take the lid off, granted, and probably slide the whole thing a long way out of the rack, but those issues simply make changing drives while the server is running inconvenient, not impossible.
There's more to it that that...
"the WHOLE point is reduce the ability to swap suppliers easily"
I don't think that's the real rationale, although I'm sure the suppliers are working on making it hard to "switch meters".
I think the real reason is to introduce time- and demand- based billing, something that's impossible with the present meters, since all you get is a total usage over a number of months.
That's not how hashes work
"The mathematical operation should produce a unique result for any given input"
That's not how hashes work. There's lots of inputs that will all produce the same hash, and producing a hash from an input is, relatively speaking, computationally trivial. The tricky bit is to, for a given hash, find an input that will generate that hash and that is meaningful in the context of the original input (for example, as Google did producing a second valid PDF). That is computationally very difficult. That's why they are often called "one-way" functions.
The problem I have is that my serpent is making a horrible sqeaking sound. It probably needs a bit of lubrication.
But, having read the article, I think that Symbolic IO have something suitable...
Re: 30 years....
I think the difference is that the tracks on the DLR are not the public highway.
Re: Just need better certificate management
Have you tried extracting the certificate from the relevant program (easy to do from the 'Digital Signatures' property page in Explorer), and then adding that certificate to the 'Untrusted Certificates' store? I'm fairly certain that would get you the result you're after.
Re: Hardware Dongles
a dedicated, non-connected, computer
The machine doing the signing has to have internet connectivity, because it needs to get to the CA's timestamp server as part of the signing process. If you don't do that, the signature can't be verified after the expiration date of the certificate.
Re: Change in mindset is needed IMO
"The thing about chains of trust is that they have to be anchored somewhere, and that starting point can still be betrayed."
That's true, but it's a bit like the famous quote about democracy - it's the worst solution, apart from all the others that have been tried.
Re: the approximate doubling of certificate prices.
This has nothing to do with open source, and nothing to do with preventing someone writing something for their own computer.
There's no suggestion that the OS is going to require signed application-level code. There's nothing to stop you from downloading Visual Studio Community Edition (for free), or an open-source IDE such as Eclipse, writing The World's Best Program, publishing the full source code on GitHub under the GPL and also running it on your own computer.
Re: Change in mindset is needed IMO
If everyone signs code with a self-generated certificate, there's no point in doing it.
One of the reasons behind code signing is that it prevents impersonation. I can write an installer that claims to be the latest Java update, but since it isn't signed by Oracle, it will look suspicious. The assumption here is that the CA won't issue me with a code signing cert for Oracle, since I can't prove that I represent Oracle Corporation, Inc.
As you say "They trust our code to be run on their machines in the first place, so why wouldn't they trust us to sign our own code as a sign of approval for what we gave out?". Code signing tells you that the program you are running really is from the people you think it's from. A program signed with a publisher-generated certificate doesn't give you that guarantee.
It's a chain of trust - you trust that the CA has verified that the publisher is who they say they are, and you trust the publisher, so therefore you can trust the signed software which claims to be from the publisher.
Re: Hardware Dongles
But you only get one dongle, surely? In that case, it needs to be permanently put into the build server, assuming you have only one. Multiple build servers might mean multiple dongles, unless you now have a single "signing server" that just does the signing.
Life may get interesting if the machine that does the building and signing is a VM. Getting a VM to access a physical USB slot directly can be a bit tricky at the best of times, and it somewhat messes up the ability to migrate the machine to another host.
Are they "growing"?
Q3 2016 financial highlights are:
Revenues are up, sure. But profitability? Seems a long way off.
No, I'm quite capable of copying and pasting.
But, at the same time, I realise that not everyone is, or even wants to. Some people want to just install some software and get on with other things. The Spotify approach doesn't seem to make it as easy as it could be.
By the way, will the copying and pasting work for all current distros, or is the approach different for say, Fedora or SUSE?
Re: Installing Spotify on Linux Mint.
That's great. Spotify should probably put those instructions on their Linux page. When I tried it, on Mint 17.3 x64 (not the latest, I realise, but I happened to have a VM with it installed for other reasons), I was offered two choices, spotify-client-0.9.17, which appears to be v0.9.17 (natch), and spotify-client:i386, which appears to be v188.8.131.52. Personally, I don't think it's obvious which one to install. I probably don't want the i386 one, since I'm on a 64 bit OS, but it's the later version, so probably I do. There's some usability work to do there, I feel.
But the bigger problem that I see is that while life is good for those using Mint, do those instructions you supplied work for openSUSE? For Fedora? For Ubuntu?
For Windows and Mac, you get one file, that you double-click to install. The current Windows client seems to be v1.0.45, so the Mint distros are a bit behind the times. If there was a single file that you could download direct from the Spotify web site, that would
a) remove the problem of "is this the real thing or not?" that is always a concern when downloading from a link found via a search engine, regardless of operating system.
b) guarantee it was the latest version, without relying on the repo maintainers to keep it updated.
So, a serious question, which is a serious question, even though I'm aware it will look like Linux-trolling, and I'm hoping that someone who develops for the Linux platform, rather than just uses it, can answer. Why is the method different for Linux? What is the advantage in not simply supplying a packaged install that people can download direct from spotify.com?
There's still a difference between "utilities" like Dopbox and Spotify, and heavyweight productivity apps.
Even people like Spotify don't really care about Linux on the desktop. Take a look at these three links:
The first two are nice and friendly. There's some pretty pictures, and it auto-starts a suitable download.
For Linux, you get four lines of what, to a non-technical user, will appear as meaningless gobbledygook. It's 2017, but to install the Linux client for a worldwide music streaming service, I have to run four text commands, including entering a 40 character hexadecimal key, and the best they can say about it is "Our aim is that it should work".
I'm not a fan of Windows 10, but it's easy to see why many people aren't switching to some penguin-based OS.
Practice What You Preach...
From the article: [Dave Farley] puts the theory into practice through his consulting work with leading organisations looking to ramp up their delivery of software.
Quotes from his web site (http://www.continuous-delivery.co.uk/consultancy.html) say:
"Dave Farley is an expert in the field of automated testing" and "Continuous Delivery is associated with high quality software.
He has also written The Reactive Manifesto, which helps to build "systems are more robust, more resilient, more flexible and better positioned to meet modern demands."
So, the natural thing is to follow the link to his personal blog, www.davefarley.net. to find out more about this expert in testing, who can clearly guarantee that he can help you deliver high quality software.
It's such a pity that all you get is a 500 error, and the site doesn't work at all...
How many days? Is the third day free?
From the article:
our three day-extravaganza of DevOps, Continuous Delivery, Containerization and Agile in May
From the Continuous Lifecycle web site:
Early bird tickets are now available for the two day conference on May 17 and 18
Intriguingly, the ability to make a phone call did not appear on the list.
That's not terribly surprising, really. If you asked someone what they liked best about their car, I bet the response "it can transport me from A to B" wouldn't make the list either. If the feature is such an intrinsic part of the object, it tends not to appear on a list like that.
Re: Halifax online may be suspect at the moment
It's benign, sort of.
It's from a marketing and analytics operation, now owned by Oracle, so while not "good", it's not "bad" in that sense.
"the default profile should be a standard user."
Err... ... it is, and it's been that way for more than 10 years. Ever since Vista.
proven repeatedly in multiple peer-reviewed studies
That's an interesting use of the word "proof". I wasn't aware that simply getting a bunch of people to agree on something constituted scientific proof.
Now, before the commentard community howls "heretic - climate change denier!", there's no doubt in my mind that human activity is having an effect, The issue I never see addressed is how much of an effect. Since the climate hasn't exactly been stable for any of the last 4.5 billion years, it seems foolish to assume that all the changes we see now are due to humans.
Does anyone have some scientifically valid figures on how much is natural variation and how much is due to the 7 billion ape-like creatures roaming the planet?
Re: This is why...
That's fine for the smaller shop. It's quite hard to just "plug an external USB disk" into that 100TB SAN that the bigger boys use...
Re: What good will this "relaxation" do?
I suspect it's just the opposite. I can't speak for LAMP-based sites, but if you're using ASP in any flavour, you get cookies as part of the architecture.
Any e-commerce site will be using them, because without some kind of state management, any form of basket management is impossible. There are alternatives to that which the EU defines as a cookie, such as modifying the URL, storing state in the DOM, or using "Flash cookies", but they are all "worse" than standard HTTP cookies for compatibility and user-acceptance.
A lot of cookies are benign, anyway, and aren't used for user tracking. Our product is priced in GBP, USD and EUR, and a visitor can select their preferred currency. We pre-select based on a geo-lookup on their first visit, but that's not perfect, and just because, for example, a visitor is in Europe doesn't mean that they always want pricing in Euros. We keep their selected preference in a cookie. No user tracking, just a small convenience for them.