nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

* Posts by Electron Shepherd

275 posts • joined 4 Feb 2015

Page:

Malware hidden in vid app is so nasty, victims should wipe their Macs

Electron Shepherd

Re: A complete wipe?

Once the system has been compromised, what script are you going to run that guarantees to restore the system state correctly? How can you trust anything that the OS tells you, once you've been infected?

It's not a Windows vs [U|Li]nux thing at all, it's just common sense, regardless of the operating system.

54
2

Viacom exposes crown jewels to world+dog in AWS S3 bucket blunder

Electron Shepherd

Re: What price security?

Because developers always want to work with the latest shiny-shiny, and they tell their clueless PHBs that the best way is "cloud", and it all goes from there.

I've known several developers make technical decisions purely on the basis that the experience gained would look good on their CV, without any regard for the impact of their choice on the organisation itself.

30
0

Microsoft teases web-based Windows Server management console

Electron Shepherd

Partly playing catch-up?

"See historical and real-time performance charts for cluster-wide CPU/memory/network usage and storage IOPS, throughput, and latency, then drill in to see metrics for individual VMs, volumes, and drives."

Surely there's lots of tools that do that already, though?

I use ServerInternals (www.serverinternals.co.uk) because I can customise what it displays, but there's lots out there.

1
1

Pats on the back all round as Pure Storage announces new CEO and growing revenues

Electron Shepherd

Ahm ooot...

"We are laser-focused on executing against our plan to achieve $1bn+ in revenue this year and marching steadily to profitability in the near future."

To quote a dour Scotsman - "Revenue is vanity - profit is sanity"

2
1

70% of Windows 10 users are totally happy with our big telemetry slurp, beams Microsoft

Electron Shepherd

A (possibly better) and certainly longer list

See http://someonewhocares.org/hosts/

That's around 13,000 entries, covering telemetry and a lot of other spyware / ad serving and generally unpleasant domains.

6
0

It's 2017 and Hyper-V can be pwned by a guest app, Windows by a search query, Office by...

Electron Shepherd

As a wise man once said...

"All repairs tend to destroy the structure, to increase the entropy and disorder of the system. Less and less effort is spent on fixing the original design flaws; more and more is spent on fixing flaws introduced by earlier fixes. As time passes, the system becomes less and less well-ordered. Sooner or later the fixing ceases to gain any ground. Each forward step is matched by a backward one. Although in principle usable forever, the system has worn out as a base for progress."

Frederick P. Brooks, The Mythical Man-Month

31
0

Enumeration bug offers five-finger discount on Woolworth Australia loyalty points

Electron Shepherd

Re: Disloyalty.

"The money spent (not just on paying out the points, but on running the whole system) obviously must come from somewhere,"

Most of it comes from the retailer selling information about you.

For example, if you've been buying BrandX cereal for the last two years, and the Kellogs run a TV commercial, do you change to Kellogs? Do you switch back once the commercial stops airing? That sort of information is very valuable to Kellogs.

While you may think that the card is anonymous, it contains a huge amount of information. Most people shop locally, so the supermarket will know (roughly) your address. The supermarket can, even without you telling them, make a good guess of your age, the age and number of children and whether you have a partner or not. A twenty-something single male makes different purchases from a mother with two small children, who again makes different purchases from a retired couple, and so on.

The reason the retailer can afford to give you money back is because you are the product being sold, and you're being sold for more than you're getting back in discounts at the till.

6
0

iRobot just banked a fat profit. And it knows how to make more: Sharing maps of your homes

Electron Shepherd
Unhappy

Weasel words as ususal

"will always ask your permission to even store map data"

is not the same as

"we will not store map data unless you give us permission"

26
0

Want to visit your loved one in jail? How about Skype instead?

Electron Shepherd

Re: A better solution

Not sure how it works in the US, but in the UK you can be locked up just for being suspected of a crime - "remanded in custody" it's called. Sometimes the person is subsequently found no -guilty, and the net result is that a person goes to prison for a period, even though they are never actually convicted of a crime.

48
0

Snopes.com asks for bailout amid dispute over who runs the site and collects ad dollars

Electron Shepherd

The Guarding Dark

9
1

Guess who doesn't have to pay $1.3bn in back taxes? Of course it's fscking Google

Electron Shepherd

Basic accountancy problem

The phrase

"For 2013, it paid just £20.4m on sales of £3.8bn – an effective tax rate of 0.5 per cent."

is totally meaningless, since in the UK you pay tax on profits, not revenue.

26
1

Feelin' safe and snug on Linux while the Windows world burns? Stop that

Electron Shepherd

"If you're paying for a Windows Server license, why would you only use it for a short period of time?"

If you have DataCenter edition of Windows Server, you can run any number of Windows-based VMs on it, without paying for a separate licence for each VM, so bringing up a Windows VM in that situation for a short time is not technically "free", since there's cost to the original covering licence, but there's no incremental cost for another machine for a short time, so in that sense, the extra machine is free.

"If someone wanted to spin up a server to test something quickly, that's when they'd use Linux."

Not if you're testing Windows software...

7
0

Google DeepMind trial failed to comply with data protection – ICO

Electron Shepherd
Unhappy

Part of the article is missing

The missing part is the bit where it says that Google were asked to delete all the potentially illegal data that they obtained through the project, and to allow independent oversight to ensure that this actually occurs.

I mean, that must have happened, surely? Right?

39
0

Stack Clash flaws blow local root holes in loads of top Linux programs

Electron Shepherd

Re: Security 101: If they're sitting at the computer...

" I'd require some convincing that a std (desktop) Windows can be locked down well, and accounts fully isolated, by a moderately competent user.

I think you're making the classic mistake of conflating the operating system with the applications that run on it. It's perfectly possible to lock down a Windows desktop in the way you describe, and there's very little they can do to mess up anyone but themselves.

The problem comes when someone logged on as that user wants to use an application that, since it is very badly written, has to run with administrative privileges. That is a huge problem in the world of Windows software, but it's due to developer laziness, not a fundamental problem with the operating system itself.

15
2

State of DevOps: Everyone's slinging code out faster

Electron Shepherd
WTF?

They don't seem to practice what they preach...

From https://docs.puppet.com/puppet/4.10/release_notes.html

Puppet 4.10.1 - Released May 11, 2017.

Puppet 4.10.0 - Released April 5, 2017.

Puppet 4.9.4 - Released March 9th, 2017.

Puppet 4.9.3 - Released February 27, 2017.

The Puppet developers are producing one release a month. The article (presumably quoting from the Puppet report), says:

The "lowest" performing IT organizations are deploying software between once a week and once a month

I'll draw my own conclusions from that...

9
0

GitHub CEO Wanstrath: 'Our goal is no outages'

Electron Shepherd

I have goals, too..

My goals are:

1) Marry Cindy Crawford (Gemma Arterton is an acceptable second choice here)

2) Be a multi-millionaire

3) Live on a private island in the Caribbean

Note to Chris Wanstrath: Anyone can come up with some goals - that's not the same as having realistic goals, or being certain you can achieve them.

On a different note - there's almost three times as many repos as developers? That doesn't sound like it's being used much by teams, but mainly by individuals with multiple projects each.

4
0

BA's 'global IT system failure' was due to 'power surge'

Electron Shepherd

Re: Really a power failure?

Possibly not left by a disgruntled employee.

The original WannaCrypt worm ran around encrypting files, but a more stealthy variant could have installed itself and simply waited until a later point in time, or for instructions from a command and control centre somewhere.

Never mind $300 in BitCoin to ransom a few Excel spreadsheets and a couple of PowerPoint presentations. How about $ <really big number> or no BA flights take off?

2
6

Pure's punchy first fiscal 2017 quarter opens door to billion-dollar year

Electron Shepherd

Re: TL:DR 3 years in and still making a loss.

Yes, but is Amazon an example of a good business strategy or just another example of survivorship bias?

See https://www.xkcd.com/1827/

1
0

Nokia's retro revival 3310 goes on sale and disappears immediately

Electron Shepherd

A Trick From The Apple Playbook

Well, and lots of other businesses as well...

1) Put something on sale

2) Immediately remove it from sale, claiming stock shortage due too much demand

3) Get lots of free publicity about the fact it's now on sale, with the implication that it's really good

6
0

Emissions cheating detection shines light on black box code

Electron Shepherd

It's not the CO2 that's the problem...

.. at least in the immediate vicinity of the car.

The emissions regs aren't just there to limit CO2, but also all the other stuff that comes out of the exhaust pipe. It's the particulate matter (PM10 and PM25) and NOx that cause the problems for the person on the pavement next to the road, and it's those emissions that rise drastically (like 40 times higher) when the car thinks it isn't being tested.

26
0

The eternal battle for OpenStack's soul will conclude in three years. Again

Electron Shepherd

Re: OT and bugging

The Seventh Seal

1
0

Wannacry: Everything you still need to know because there were so many unanswered Qs

Electron Shepherd

That's a bad idea

If it had been me I'd have tried to mount the drive and see how much could be deleted from it before it all fell apart.

If you're in the UK, that's a really bad idea. It counts as unauthorised access under the Computer Misuse Act, and gets you 12 months in prison and/or an unlimited fine.

5
0

Rejoice, for Linux 4.11 has been delivered!

Electron Shepherd

CPU Frequencies and Quality

Making silicon chips is not an exact science. For an 8 core chip, due to the small defects which will always be present, some cores will be able to operate safely at higher frequencies than others on the same chip.

It's not that Intel's quality is bad - it's just that no-one has worked out how to make absolutely 100% pure silicon, slice it into wafers, and then put several billion transistors on it without making a single error.

7
0

Flatpak and Snaps aren't destined for graveyard of failed Linux tech yet

Electron Shepherd

Re: Faff

"For permission reasons browser auto-update features rarely work in Linux"

But surely a daemon (running as root, but not doing any actual browsing) could do it? I don't see it as Linux permissions problem - it sounds like a "the developers couldn't be bothered" problem.

On Windows, Chrome and Acrobat Reader both manage it without requiring that the desktop application that the user actually interacts with is running with administrative privileges.

3
3

Road accident nuisance callers fined £270,000 for being absolute sh*tbags

Electron Shepherd

Re: Was about to say the same thing

"Also it should be the company that has to prove that any of the above was legally sent"

To mis-quote a certain Horace Rumpole, that breaks the Golden Thread of British Justice, and while I can understand your position, it's the thin end of a very large wedge.

Driving above 70mph on a motorway is illegal in the UK. I don't want to be in a position where I'm pulled over by the police, and it's up to me to prove that I wasn't exceeding the speed limit. That's a mild example - I'm sure you can imagine much worse ones.

It always has been "innocent until proven guilty", and it has to stay that way, whatever you think of the offence or the people perpetrating it.

10
2

The future of storage is ATOMIC: IBM boffins stash 1 bit on 1 atom

Electron Shepherd
Thumb Up

Isn't he at least two levels out?

"It doesn't get any smaller than a single atom"

Well, apart from all the protons and neutrons that make up an atom, and all the quarks that make up the protons and neutrons...

Store a bit on a quark and then I'll be impressed! I'm sure our El Reg correspondent could find strange but charming way to spin that announcement...

But seriously - top boffiny! Drinks all round!

24
0

Windows Server ported to Qualcomm's ARM server chip. Repeat, Windows Server ported to ARM server chip

Electron Shepherd

Re: So you make the motherboard smaller...

The drives might actually be hot-swappable. Given their location, you'd need to take the lid off, granted, and probably slide the whole thing a long way out of the rack, but those issues simply make changing drives while the server is running inconvenient, not impossible.

2
0

Watt the f... Dim smart meters caught simply making up readings

Electron Shepherd

There's more to it that that...

"the WHOLE point is reduce the ability to swap suppliers easily"

I don't think that's the real rationale, although I'm sure the suppliers are working on making it hard to "switch meters".

I think the real reason is to introduce time- and demand- based billing, something that's impossible with the present meters, since all you get is a total usage over a number of months.

19
0

Git fscked by SHA-1 collision? Not so fast, says Linus Torvalds

Electron Shepherd
Facepalm

That's not how hashes work

"The mathematical operation should produce a unique result for any given input"

That's not how hashes work. There's lots of inputs that will all produce the same hash, and producing a hash from an input is, relatively speaking, computationally trivial. The tricky bit is to, for a given hash, find an input that will generate that hash and that is meaningful in the context of the original input (for example, as Google did producing a second valid PDF). That is computationally very difficult. That's why they are often called "one-way" functions.

37
0

Symbolic IO reveals tech bound to give server old guard the willies

Electron Shepherd

Sqeaky Serpent

The problem I have is that my serpent is making a horrible sqeaking sound. It probably needs a bit of lubrication.

But, having read the article, I think that Symbolic IO have something suitable...

2
0

New UK laws address driverless cars insurance and liability

Electron Shepherd

Re: 30 years....

I think the difference is that the tracks on the DLR are not the public highway.

4
0

Windows code-signing tweaks sure to irritate software developers

Electron Shepherd

Re: Just need better certificate management

Have you tried extracting the certificate from the relevant program (easy to do from the 'Digital Signatures' property page in Explorer), and then adding that certificate to the 'Untrusted Certificates' store? I'm fairly certain that would get you the result you're after.

0
0
Electron Shepherd

Re: Hardware Dongles

a dedicated, non-connected, computer

The machine doing the signing has to have internet connectivity, because it needs to get to the CA's timestamp server as part of the signing process. If you don't do that, the signature can't be verified after the expiration date of the certificate.

1
2
Electron Shepherd

Re: Change in mindset is needed IMO

"The thing about chains of trust is that they have to be anchored somewhere, and that starting point can still be betrayed."

That's true, but it's a bit like the famous quote about democracy - it's the worst solution, apart from all the others that have been tried.

2
0
Electron Shepherd

Re: the approximate doubling of certificate prices.

This has nothing to do with open source, and nothing to do with preventing someone writing something for their own computer.

There's no suggestion that the OS is going to require signed application-level code. There's nothing to stop you from downloading Visual Studio Community Edition (for free), or an open-source IDE such as Eclipse, writing The World's Best Program, publishing the full source code on GitHub under the GPL and also running it on your own computer.

3
0
Electron Shepherd

Re: Change in mindset is needed IMO

If everyone signs code with a self-generated certificate, there's no point in doing it.

One of the reasons behind code signing is that it prevents impersonation. I can write an installer that claims to be the latest Java update, but since it isn't signed by Oracle, it will look suspicious. The assumption here is that the CA won't issue me with a code signing cert for Oracle, since I can't prove that I represent Oracle Corporation, Inc.

As you say "They trust our code to be run on their machines in the first place, so why wouldn't they trust us to sign our own code as a sign of approval for what we gave out?". Code signing tells you that the program you are running really is from the people you think it's from. A program signed with a publisher-generated certificate doesn't give you that guarantee.

It's a chain of trust - you trust that the CA has verified that the publisher is who they say they are, and you trust the publisher, so therefore you can trust the signed software which claims to be from the publisher.

2
0
Electron Shepherd

Re: Hardware Dongles

But you only get one dongle, surely? In that case, it needs to be permanently put into the build server, assuming you have only one. Multiple build servers might mean multiple dongles, unless you now have a single "signing server" that just does the signing.

Life may get interesting if the machine that does the building and signing is a VM. Getting a VM to access a physical USB slot directly can be a bit tricky at the best of times, and it somewhat messes up the ability to migrate the machine to another host.

3
0

En garde! Touché! Sorry for the cliché! Pure Storage flashes its blade

Electron Shepherd

Are they "growing"?

Q3 2016 financial highlights are:

Revenue: $197M

Loss: $78M

Source: https://investor.purestorage.com/news-and-events/press-releases/press-release-details/2016/Pure-Storage-Announces-Third-Quarter-Fiscal-2017-Results/default.aspx

Revenues are up, sure. But profitability? Seems a long way off.

4
2

Microsoft's Linux love-in continues with SUSE support in SQL Server

Electron Shepherd

Re: Office?

No, I'm quite capable of copying and pasting.

But, at the same time, I realise that not everyone is, or even wants to. Some people want to just install some software and get on with other things. The Spotify approach doesn't seem to make it as easy as it could be.

By the way, will the copying and pasting work for all current distros, or is the approach different for say, Fedora or SUSE?

1
1
Electron Shepherd

Re: Installing Spotify on Linux Mint.

That's great. Spotify should probably put those instructions on their Linux page. When I tried it, on Mint 17.3 x64 (not the latest, I realise, but I happened to have a VM with it installed for other reasons), I was offered two choices, spotify-client-0.9.17, which appears to be v0.9.17 (natch), and spotify-client:i386, which appears to be v1.0.9.4. Personally, I don't think it's obvious which one to install. I probably don't want the i386 one, since I'm on a 64 bit OS, but it's the later version, so probably I do. There's some usability work to do there, I feel.

But the bigger problem that I see is that while life is good for those using Mint, do those instructions you supplied work for openSUSE? For Fedora? For Ubuntu?

For Windows and Mac, you get one file, that you double-click to install. The current Windows client seems to be v1.0.45, so the Mint distros are a bit behind the times. If there was a single file that you could download direct from the Spotify web site, that would

a) remove the problem of "is this the real thing or not?" that is always a concern when downloading from a link found via a search engine, regardless of operating system.

b) guarantee it was the latest version, without relying on the repo maintainers to keep it updated.

So, a serious question, which is a serious question, even though I'm aware it will look like Linux-trolling, and I'm hoping that someone who develops for the Linux platform, rather than just uses it, can answer. Why is the method different for Linux? What is the advantage in not simply supplying a packaged install that people can download direct from spotify.com?

2
1
Electron Shepherd

Re: Office?

There's still a difference between "utilities" like Dopbox and Spotify, and heavyweight productivity apps.

Even people like Spotify don't really care about Linux on the desktop. Take a look at these three links:

https://www.spotify.com/uk/download/windows/

https://www.spotify.com/uk/download/mac/

https://www.spotify.com/uk/download/linux/

The first two are nice and friendly. There's some pretty pictures, and it auto-starts a suitable download.

For Linux, you get four lines of what, to a non-technical user, will appear as meaningless gobbledygook. It's 2017, but to install the Linux client for a worldwide music streaming service, I have to run four text commands, including entering a 40 character hexadecimal key, and the best they can say about it is "Our aim is that it should work".

I'm not a fan of Windows 10, but it's easy to see why many people aren't switching to some penguin-based OS.

2
5

Continuous Lifecycle London: Keynote, workshops announced

Electron Shepherd
Unhappy

Practice What You Preach...

From the article: [Dave Farley] puts the theory into practice through his consulting work with leading organisations looking to ramp up their delivery of software.

Quotes from his web site (http://www.continuous-delivery.co.uk/consultancy.html) say:

"Dave Farley is an expert in the field of automated testing" and "Continuous Delivery is associated with high quality software.

He has also written The Reactive Manifesto, which helps to build "systems are more robust, more resilient, more flexible and better positioned to meet modern demands."

So, the natural thing is to follow the link to his personal blog, www.davefarley.net. to find out more about this expert in testing, who can clearly guarantee that he can help you deliver high quality software.

It's such a pity that all you get is a 500 error, and the site doesn't work at all...

0
0

Continuous Lifecycle London: First speakers announced

Electron Shepherd
Unhappy

How many days? Is the third day free?

From the article:

our three day-extravaganza of DevOps, Continuous Delivery, Containerization and Agile in May

From the Continuous Lifecycle web site:

Early bird tickets are now available for the two day conference on May 17 and 18

0
0

Maps and alarm clocks best thing about mobes, say normies

Electron Shepherd

Intriguingly, the ability to make a phone call did not appear on the list.

That's not terribly surprising, really. If you asked someone what they liked best about their car, I bet the response "it can transport me from A to B" wouldn't make the list either. If the feature is such an intrinsic part of the object, it tends not to appear on a list like that.

28
0

Black horse blacks out: Lloyds Bank website goes down

Electron Shepherd

Re: Halifax online may be suspect at the moment

It's benign, sort of.

It's from a marketing and analytics operation, now owned by Oracle, so while not "good", it's not "bad" in that sense.

See http://www.oracle.com/us/corporate/acquisitions/bluekai/index.html

0
0

It's now 2017, and your Windows PC can still be pwned by a Word file

Electron Shepherd

"the default profile should be a standard user."

Err... ... it is, and it's been that way for more than 10 years. Ever since Vista.

5
1

NASA taps ESA satellite Swarm for salty ocean temperature tales

Electron Shepherd

Hmmm....

proven repeatedly in multiple peer-reviewed studies

That's an interesting use of the word "proof". I wasn't aware that simply getting a bunch of people to agree on something constituted scientific proof.

Now, before the commentard community howls "heretic - climate change denier!", there's no doubt in my mind that human activity is having an effect, The issue I never see addressed is how much of an effect. Since the climate hasn't exactly been stable for any of the last 4.5 billion years, it seems foolish to assume that all the changes we see now are due to humans.

Does anyone have some scientifically valid figures on how much is natural variation and how much is due to the 7 billion ape-like creatures roaming the planet?

19
10

Backup Exec console goes AWOL

Electron Shepherd

Re: This is why...

That's fine for the smaller shop. It's quite hard to just "plug an external USB disk" into that 100TB SAN that the bigger boys use...

0
0

Brussels cunning plan to save the EU: No more Cookie Popups

Electron Shepherd

Re: What good will this "relaxation" do?

would imagine that 10E-(a large number) of websites don't use cookies at all

I suspect it's just the opposite. I can't speak for LAMP-based sites, but if you're using ASP in any flavour, you get cookies as part of the architecture.

Any e-commerce site will be using them, because without some kind of state management, any form of basket management is impossible. There are alternatives to that which the EU defines as a cookie, such as modifying the URL, storing state in the DOM, or using "Flash cookies", but they are all "worse" than standard HTTP cookies for compatibility and user-acceptance.

A lot of cookies are benign, anyway, and aren't used for user tracking. Our product is priced in GBP, USD and EUR, and a visitor can select their preferred currency. We pre-select based on a geo-lookup on their first visit, but that's not perfect, and just because, for example, a visitor is in Europe doesn't mean that they always want pricing in Euros. We keep their selected preference in a cookie. No user tracking, just a small convenience for them.

3
1

Page:

The Register - Independent news and views for the tech community. Part of Situation Publishing