nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

* Posts by OldCrow

42 posts • joined 3 Apr 2015

STIBP, collaborate and listen: Linus floats Linux kernel that 'fixes' Intel CPUs' Spectre slowdown

This post has been deleted by a moderator

Sysadmin’s plan to manage system config changes backfires spectacularly

OldCrow

Re: I'm missing something...

One of those older version-control systems that imitated a physical pile of cards. A check-in removes the file from your disk.

I'm sure it had SOME kind of logical reason for doing that beyond trying to imitate carbon-copy shifting, but I wouldn't know what the reason is.

Bloke fined £460 after his drone screwed up police chopper search for missing woman

OldCrow
Megaphone

The actual reason for rubbernecking, is the off-chance that the accident DOES have something to do with you. He saw the lights from his home, so he had higher than average reason to believe that he or someone related may be relevant.

Also, if the police had been there for any other reason (and thus not in need of the chopper), then checking out the situation with a drone, as opposed to turning up in person, would have been lauded by most people on the scene as the right choise.

Shift-work: Keyboards heaped in a field push North Yorks council's fly-tipping buttons

OldCrow

Re: It might just be...

The cables were sold. Thin margins in the recycling business.

The cords can be re-headed. The result is a USB A-to-Micro-C charging cable.

There's a few shops in China that do this.

Patch me, if you can: Grave TCP/IP flaws in FreeRTOS leave IoT gear open to mass hijacking

OldCrow

Misleading headline

The FreeRTOS itself does not have an integrated TCP/IP stack. There is an official stack available, but it's only free if used on certain hardware. If you use an MCU that's supported by the OS but not the stack, then you'll have to pony up or provide your own TCP/IP stack.

TL;DR: the flaw is not IN the FreeRTOS. It is beside the FreeRTOS.

Case in point, the bugs in this article do not touch my current employer's products. For while we do use FreeRTOS, we use a different TCP/IP stack; one not listed here. (No, I'm not going to tell you which one.)

Chinese Super Micro 'spy chip' story gets even more strange as everyone doubles down

OldCrow

Re: Ha HA!

Depends.

Does DHS still practise "security through obscurity" in their own systems, like they used to?

Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?

OldCrow
Meh

Re: Let's not go overboard with this.

we aren't getting the full story yet

Uhh... yes, we are. Getting the full story, that is. The full story is: "China switched out a memory chip. Did a delayed BIOS driver-switch attack." (Vector is actually named Microsoft Windows Platform Binary Table, not Superfish, which is a separate piece of malware. My apologies for mixing them up.)

You can get full control of the server just by making it load an infected driver before OS boot, via e.g. UEFI option-ROM.

OldCrow
Holmes

Re: Let's not go overboard with this.

Let's arm-chair-design a recreation of this exploit, and see how close we get to the real thing, after all the facts come out, shall we:

1. Since the BIOS/UEFI is still loaded from an SPI FLASH chip, which is in a very standard form-factor (read: wastefully large blob of plastic around a tiny FLASH chip), it's easy to make an identical package that houses 2 memory areas.

Switch the memory areas after 100 hours of power-on, or after 20 BIOS-loads. Now you have control over the BIOS boot sequence AFTER the board has been tested and installed in location.

2. Next, let's make an USB flash drive, but package it like a USB over-voltage-protector diode package. One of those small ICs that you see hugging the USB bus near the connector, in any properly designed circuit board, protecting the other ICs from your static-electricity-laden fingers.

It'll be the largest over-voltage protector you've ever seen, but it'll still pass inspection.

TVS diodes come in many packages. A government-standard suppressor package may be larger.

Again, activate after 20 power cycles, if (and only if) there is no other device attached to the USB bus.

3. Leverage one of the well-documented standard ways to do a Superfish on the Windows installation.

4. Profit.

Edit:

Scratch that. Just do a proper Superfish after switching the SPI chip memory areas. No need for the USB drive after all. Left as-is for posterity.

Rights group launches legal challenge over London cops' use of facial recognition tech

OldCrow
Trollface

Re: Donated

Yeah, well, Nazis didn't get rocket-bombed by the Jews every other day over the ghetto walls.

Whereas Israel is bombed regularly by palestinians. Last year, it was rockets. This year, I hear they've moved to incendiary balloons.

So, yeah, not totally comparable...

OldCrow
Flame

Re: Donated

@AC:

"But the Jews have NO RIGHT to steal land that they lost 2000 years ago."

You mean the land that the Jews bought 3 times over the last 2000 years, with money and gold? The seller always got the money, but never got around to handing over the land.

The land that has always housed a population of Jews, from biblical times to this day? The land of Israel was never completely devoid of Jews. They just weren't allowed to govern themselves until now.

"in 1967 they stole a load more"

In one of the wars waged to wipe them out? Hell, if someone was trying to kill me just for my lineage, I'd was some compensation for my trouble too.

The internet's very own Muslim ban continues: DNS overlord insists it can freeze dot-words

This post has been deleted by a moderator

AAAAAAAAAA! You'll scream when you see how easy it is to pwn unpatched HPE servers

OldCrow

Re: Home-written HTTP servers

I'm well aware. And I don't even assume that they're using Linux or other full-fat OS. (Although they should.)

I'm also guilty of writing not just one, but two different HTTP servers for specialized hardware.

But for a product with this kind of volume (and a number 4 right there in the name), you'd think that stability'd be high enough on the list of requirements that they would use a proper library, instead of apparently parsing all the headers by hand.

OldCrow

Home-written HTTP servers

If I had a dollar for every time someone has unnecessarily written an HTTP server from scratch, I could retire right now and save myself an ulcer down the career.

Crime epidemic or never had it so good? Drilling into statistics is murder

OldCrow
Unhappy

Re: We need gunlaws like in the US to fight crime

Re: _By the way, you would be surprised just how many legal weapons are with the population in some Western European countries. Finland, Germany and Switzerland come mind straight away._

Actually, Finland should not be in this group.

Government records of firearm ownership count every re-sale of a firearm as a new weapon, and fail to record disposal/de-armament. Plus, when the records were combined from prefectures, a lot of guns were just plain counted twice. So, the official statistics show 10x-20x the real gun owneship rate.

The Finnish government is anal-attentive with every other database. But the politicos prefer to give a bloated picture of gun ownership, so this database is left as-is.

On a totally unrelated note, changes are now being made to law that will end private gun ownership totally (while government is trying to pretent otherwise), so the point is moot anyway.

Ubuntu reports 67% of users opt in to on-by-default PC specs slurp

OldCrow
Holmes

Re: Really small systems

To be more specific, netbooks used to have have 2-4GB RAM. These numbers look like re-purposed Windows netbooks.

Windows 8 era netbooks also came with eMMCs of typically 32GB of size, which is patently small for W10, but is plenty for Debian or Ubuntu.

History:

I have a HP Stream x360: https://www.theregister.co.uk/2015/04/06/review_hp_stream_x360_convertible_laptop

1366x768 screen, Celeron 2-core, 2GB RAM and 32GB eMMC. All soldered to the board for zero upgradeability.

I ran Debian on it, until GNOME bloated itself out of the RAM. I guess Ubuntu might still run on it.

However, I opted to buy a bigger machine instead.

Originally, the Stream came with Windows 8. But even the original installation used up 15GB of space, and W10 sure didn't get any smaller. So, a lot of the Ubuntu installations may be similar post-W10 throw-aways re-purposed.

Windows Notepad fixed after 33 years: Now it finally handles Unix, Mac OS line endings

OldCrow
Gimp

Re: "We fixed Notepad,"

Or better yet, they could finally EOL serial-attached-mouse support. Or at least provide an off-switch that actually works.

We keep losing USB-UART dongles. Once they've been recognized as a mouse, they will never work as an UART dongle again. Have to get a new one, that this particular Windows installation has not YET deemed to be a mouse. Again and again. A real BOHICA.

Cavalry riding to the rescue of DDoS-deluged memcached users

OldCrow
Holmes

Re: Auto responders

Wasn't there a law for this in the U.S.?

One that allows to "hack back" your hacker?

Or is it still in the making?

Intel didn't tell CERTS, govs, about Meltdown and Spectre because they couldn't help fix it

OldCrow
Holmes

Re: Note that they didn't bother with open source operating systems

There's a reason for that.

The flaws can only be exploited on platforms that run untrusted code. I.e. javascript, Flash, et.al. . BSD variants see mostly server use, so are not that much affected.

If I'd been in Intel's shoes, I would have included Adobe and Mozilla on the short list. But that's the only change I'd make (off the top of my head).

Hate to ruin your day, but... Boffins cook up fresh Meltdown, Spectre CPU design flaw exploits

OldCrow
Holmes

Re: Just kill ALL code in a browser.

An OS where the user can't install random crap from a phishing email approaches Windows 10S or iOS in lockdown. Usability suffers as a consequence.

This is also wasteful. For protection from legal liability, it is sufficient that the machine can not be compromised without user error (i.e. user's assistance).

A likely path forward for Intel (et.al.) is to add a dedicated core with an "untrusted software" mode. This mode would disable speculative execution. Further, the operating system will have to be aware of these "untrusted processes / threads", so they can perform threat mitigations (that are now performed for all threads, sapping performance).

Of course, software such as browsers would have to support "untrusted execution" by declaring their javascript engine threads as such.

Anyone willing to make bets?

Secret weekend office bonk came within inch of killing sysadmin

OldCrow
FAIL

Re: Aircon Leaks

I would. By these easy steps:

1. Submerge whole hose in water, so that no air remains in hose (bucket must be large enough).

2. Squeeze or otherwise block one end of the hose.

3. Pull hose into position (out the nearest window is usually best, as sinks are typically installed too high, relative to bucket).

4. Release blockage from end of hose.

5. Enjoy, while the bucket empties itself.

Who primes any kind of hose by sucking on it, these days? Almost no liquid is anywhere near safe for your lungs or stomach lining. In some places, not even tapwater.

No, Windows 10 hasn’t beaten Windows 7’s market share. Not for sure, anyway

OldCrow

Re: And they were so close...

Well now. Seeing as the alternative, the current state of things, is that Windows 10 "Bog Standard" regularly loses sound playback and/or recording ability, as a result of a "background" driver update. Regularly, yet unpredictably...

I, for one, would much prefer a yearly full installation of the latest build, if it keeps the sound going when we have a 200+ person audience.

Stack Overflow + Salary Calculator = your worth

OldCrow

Re: No server side development, no Unix

@ matjaggard

>Written an HTTP server for Cortex M twice? Here's a wheel, can you invent something for my car to put on the axels please?

So we can safely assume that you've never made software for mass-produced small objects with price and/or safety constraints?

OldCrow
FAIL

Re: No server side development, no Unix

@ Yet Another Anonymous coward

Ooh! I didn't know S.O. baked their own silicon. Tell me more? </sarcasm>

I imagine that S.O. maintains their own servers and codebase. Accordingly, they would have more sysadmins and Ruby developers (ref. Atwood's blog) to bounce things off of, than C/C++ folk.

Further, the algorithm modeling salary development is going to be based on data from U.S., so the maximums are going to differ from e.g. U.K.. Further, unless they paid someone for better data, the (croud-sourced) data-mass that they do have is going to be rather heavily reflecting the S.O. power-user base. Since nobody else bothers filling the questionnaire.

OldCrow

Re: No server side development, no Unix

No Embedded or Driver development either.

Are we getting silo'd in our branches?

I mean - I can see how Stack Overflow is would be biased towards Web development, seeing as they are a web-based entity.

But... I do C/C++ for ARM Cortex-M MCUs so small that they usually don't have an OS. But whenever I happen to meet software engineers from other disciplines and happen to tell them as much, half the time their immediate reaction is bewilderment; they can't imagine a system without a full-blown OS or a file-system.

I can see how Python could be rising in popularity - among web developers. But I've yet to see a Python compiler for an ARM M0+.

..Then again, I have written an HTTP server for a Cortex-M. ...twice.

User thanked IT department for fast new server, but it had never left its box

OldCrow

@Lee D

The slow downloads of large files get more noticeable, because general browsing tends to gain speed from an SSD. It's a known side-effect of modern browser cache usage patterns.

Hell, I sped up my own browsing experience by disabling caching. Turns out, my internet connection has a smaller latency than my ancient spinning-rust-disk.

Logitech's security cams allegedly suck so bad, this US bloke is suing it

OldCrow

Re: Security Camera Blues

@Youngone

I've heard good things about this one called "Raspberry Pi". An odd name, but apparently has a good HD camera, and a variety of software packages to choose from. And it's still being manufactured, too, with version 3 apparently now out. So you should be able to get software updates for it for some time.

Internet addict sent to an anti-addiction boot camp is no longer an addict. Because he's dead

OldCrow

Re: Parenting 101

@ AC

>"My son took an interest in horticulture and grew some very interesting plants in the garage."

This assumes having a garage, which puts you in the... something percentile.

We, the proles, do not have a garage. In fact, I do not own (or directly rent) a single piece of land. I have an apartment, in a complex of 300+ apartments.

I have 78 m2 in which to express myself (in Finland). UK average is 76 m2. Hong Kong average is 45 m2. I have seen families live in less than 20 m2. I have heard from the news that there are apartments of less than 2 m3 (yes, cubic) in China.

And you can forget trying to use the public areas for anything constructive in places like Beijing.

OldCrow

Re: Parenting 101

The trick is to give the kids something constructive to do, literally. The opportunity to create something.

But that's hard to do even here. The only creativity-encouraging toy I can find in the shop is LEGOs. There are no longer any "Little Chemist" or similar experimentation sets available. You couldn't even weave wicker baskets if you wanted to, unless you live somewhere with ready access to suitable raw materials direct from nature; no shop sells them. And under-18s don't shop in eBay.

And if that's hard here, where I can access eBay, imagine what it's like in the metropolii of mainland China.

So can you blame the young ones? When the alternatives are electronic entertainment, and getting bored out of their minds?

HMS Queen Lizzie impugned by cheeky Scot's drone landing

OldCrow

Re: "to defend against this"

How about the Trophy active-countermeasure system? The drone is likely to be slower than an RPG...

https://en.wikipedia.org/wiki/Trophy_(countermeasure)

Official: Windows for Workstations returns in Fall Creators Update

OldCrow

What about auto-updates?

That's the real question here. A workstation that hangs up and/or reboots for updates regularly is useless. So they can't expect many sales if they keep the mandatory update schedule.

But on the other hand, if the mandatory updates are lifted, then people and businesses may start to use this version for everything... depending on the price.

USA to screen tablets,
e-readers and handheld games before they fly

OldCrow

Re: They're gonna love me...

Try a network switch, a fiber-to-copper converter and power supplies for both, all zip-tied and taped together into a single lump with cables sticking all over. I had to carry that through the airport security in Amsterdam.

Was afraid of it needing a good explanation sooner than later, so put it in the carry-on bag. They looked at it once, asked if I was MacGyver, and would have waved me right through if the swab-test hadn't given a positive for something. Re-test was negative, though, so passed right after showing a card with the word "engineer" on it.

Thing is, Amsterdam had the "all electronics separately" rule in place already. But the security actually had the training and/or brains to see that the clump had nothing capable of exploding. In the U.S., I doubt I would have flown on the same day.

Microsoft hits new low: Threatens to axe classic Paint from Windows 10

OldCrow

Re: Now just notepad, and we can write off builtin apps completely.

@45RPM

True, that part may have been uncalled for. As they are, in theory at least, no longer a monopoly.

Point still stands, in that with 10-S they'll start charging for what used to be the "Accessories" menu.

If submitting your software to the store is no longer free (at some point in the future, if it's still free), then there will be no free replacements either.

"Mom & Pop" will never have the know-how to install Linux. Most of today's youths don't have it either, since it's not necessary for survival in the short-term.

OldCrow

Re: Initially surprised to see TCP Offload going

Was mainly used with those overpriced "Network Accelerator, for maximum online gaming experience" -type cards. They did work as advertised, mind you.

OldCrow

Re: Now just notepad, and we can write off builtin apps completely.

And with the new Windows 10-S, you can't just install Paint.net or Notepad++: You have to get everything from the app store.

Now for just $0.99 each, with MS getting 50% of every sale. Aren't monopolies wonderful?

Why can't you install Windows 10 Creators Update on your old Atom netbook? Because Intel stopped loving you

OldCrow

Re: Support

The whole idea of "support for a CPU model" is, for the layman, absolutely insane.

The CPU is supposed to execute instructions. From a well-defined instruction set. What is there to support?

Then one day, my oh-so-expensive education revealed the horrible truth to me, in the form of the Intel CPU Errata documentation. I was enlightened. And horrified. Very, very horrified.

So, Intel "not supporting" the CPUs means that they'll no longer:

a) Accept more issues found, to their list of errata

b) Write examples and/or OS modules that side-step the processor's defects

c) Update drivers for the CPU's built-in peripherals

As far as I understand, all of the above activities should be rather complete by now anyways. So I think I shall continue the use my Debian netbook for the foreseeable future.

US laptops-on-planes ban now applies to just one airport, ends soon

OldCrow

Re: The found lots of guns

Incompetent. Undertrained. Same difference. Or not.

Remember that they might be decent people. They've just never seen a real explosive. Or a real gun. ...Oh, wait, they've seen the ones caught at the airport. Point still stands on the explosives.

OldCrow

Re: Guns

Do bear in mind that the americans have a good reason to fear their own government. The average U.S. police officer is likely to have zero firearms training on any sort of regular basis. So if a police officer draws a weapon and you stand still, you have a high risk of ending up collateral damage. And if you run to cover, you have a high risk of being shot at. So the only safe response is to shoot the police first. </joke>

Jokes aside, unless TSA agents have a much stricter training regime than the american cops, you can't really hold them accountable for missing stuff in luggage. After all, with no education towards real explosives, you can't demand that they'd recognize one when presented. Nevermind something more exotic, like a properly hidden blade. So it is perfectly understandable that passengers would want to carry some extra security with them. On the off chance that the terrorists try to hijack the planes, like they did on 9/11.

Sony nabs cloud gamers OnLive, administers swift headshot

OldCrow

Re: Yep

Except in Europe.

I get 10Mbps cable as part of the house utilities in my current apartment. I get 10Mbps 3G for 13e/month with data cap in tens of Gs and then throttling.

In my student times I got 1Gbps straight to the local backbone from the student dormitory.

An Intel i5 costs 250e minimum (including VAT) here, to give a scale of electronics cost.

For casual/RPG games, I could live with the lag.

Comcast: Google, we'll see your 1Gbps fiber and DOUBLE IT

OldCrow

Re: Likewise.

I get along with 10Mbps 3G connection. Shared by all my computers.

Got it when moving last time, since I figured'd have to wait at least 2 months to get a cable. But I never got cable even ordered before I had to move across the country again. So glad I decided on the cheapest option.

13e/month (approx. $15 USD) plus the cost of 3G dongle and SOHO router (300e).

Had to choose between the 3 companies (in the whole country) offering 3G.

Finally settled based on who had least strings attached to the deal.

The Register - Independent news and views for the tech community. Part of Situation Publishing