267 posts • joined 7 Sep 2016
OpenSSL losing their mind
It is extremely sensible for the maintainers of OpenSSL to want to have the entirety of the project under a single unifying license, and APL is a perfectly reasonable choice (compared to, say inventing Yet Another License).
It is crazy of them to do it in such a cack-handed way. Assumption of consent is at best incredibly lazy and at worst mendacious. They need to get off their behinds and audit every contribution, track down the contributor, and ask. If they can't do that, then the contribution needs to be rewritten.
Yes, doing it right takes time. The leaders of OpenSSL of all people should remember that not doing it right causes major pain later on. My heart...bleeds for them.
Same HR people?
Would this training be delivered by the same HR people that told Susan Fowler there was nothing they could do because the alleged harasser was a high performer? If so, why are the leaders of that group still at the company?
Uber's sin was not just having jerks on staff, but having an HR function that failed to protect the employee. Heads should be rolling all over that firm right now.
Lies on both sides
There is indeed a lack of high class IT talent, and some immigrants fill that need.
There is indeed no lack of mid-range IT talent, and too many immigrants fill that need.
The truth is that countries like the United States need talent - bloody great gobs of it - in order to remain an innovative, dynamic economy. In other words, fill the first need. It really doesn't need buckets of mid-range talent.
The solution then would be to make it easier for people who study STEM at an advanced level in the United States to stay here after they graduate, and make it harder for mid-range H1Bers to come over. I know Congress doesn't do Grand Bargains any more, but it surely can;t be beyond the wit of man to devise a suitable scheme.
Users confuse complexity with entropy, no?
Isn't going for length a better tradeoff than these little rules?
In the absence of 2FA, asking the user to pick five English words of four or more letters, and then concatenating them together to create a 20+ char password would seem to give much better entropy than just asking for 8 chars and a number?
On the other hand, I wonder how many people would enter passwordpasswordpasswordpasswordpassword...
Oddness in the rankings
Much as I love to see Perl in here, I have to be a little suspicious that it ranked higher than R and Go. Or maybe the skill I had that I thought was consigned to the ash heap of history is now so old that there are opportunities for codgers to maintain "ancient" code from the 1990s?
You've come a long way, baby
Acorn RISC Machines. ARM.
I feel my purchase of a BBC Master circa 1988 and playing Zarch on an Archimedes played a small but vital role in keeping this flame of Brit engineering alive.
(We really need an icon for long-dead-but-much-loved, what with all the COBOL, AS/400 and RiscOS floating around El Reg lately.)
Re: Amateur night at CBP
When it's done well, it's quite impressive. When it's done badly, it's excruciating. I was questioned "well" on my into Canada from the US a couple of years ago, and it took me five miles into the great north before I realized that the border agent had me played with lots of friendly leading questions that did not give anything anyway. "Touche sir!", I said to myself.
I've also had it in the bad way. The TSA used to do this in airport lines, you'd be waiting and some geezer would sidle up to you and start a conversation, except that it sounded like is was scripted by a robot. Then you just groan inside.
The TSA one is particularly awkward as I work in a field where competitors will do *anything* to get intel on our organization. So I am naturally a little suspicious of friendly people. (That friendly barfly in the pub next to the airbase in Arizona is probably not just a local who likes to talk about planes.)
Re: COBOL is dead!
Yes to all the above. Run a Linux VM, install Gnu COBOL, start playing.
But really, for a "forgotten" language like this, you need a mentor. Someone you can meet up with every month and learn from. Chances are they'll be a little older, and I suspect they will be thrilled to be asked to share their knowledge and experience. You might even be able to parlay it into some paying gigs because they'll know better than you what businesses still use the stuff.\
Black cabs are still the way to go in London
Only in a black cab can you collapse into the back seat, state your destination and enjoy looking out of the window instead of nervously checking your phone's GPS to see if the driver really knows the way.
Only in a black cab can you say, "there's a pub opposite the office I want to go to, cheshire something, near fleet street" and the driver will know where you are going.
Only in a black cab can you have a conversation that ranges from the sun to The Sun.
When Uber and minicab drivers catch up, I'll give them a try. I'm not holding my breath.
Re: Portable password manager?
Well, it boils down to two things. How easily an attacker could guess the inputs and the security of the hashing algorithm. Every else is second order beans, e.g. it would not take long to notice that you had a low frequency of a-m and a high one of !-- and reverse that.
The hash is pretty good, but only as good as its inputs: if an attacker can guess those, then the strength of the hash is moot.
So now we are down to: can an attacker guess your username, sites you might visit, and your passphrase? In many cases (perhaps not you personally) I would wager that the first two are easy to guess. How many John Smiths have a username of jsmith, johnsmith etc? (It's worse if your name is unusual, as you're more likely to grab the easy user names and not have to resort to some number after your ID. There's probably only one JanetOoberLuba in the bank's system, but John Smith is probably johnsmith03456). Sites are easy to watch too. Work in IT? British? Chances are you read El Reg. Right-wing, American? Look at Fox News, and maybe you bank with a bank in a red state. It's amazing what you can work out.
So then, at the end, we are down to this: is your passphrase any good?
Diff'rent strokes for diff'rent folks
The root of all this seems to be that even in 2017 some organizations have not realized that people work better in different ways.
Management is the art of getting the best out of the team that you have in the time you have available. What I see here, and in numerous other examples of management by diktat, is trying to make everyone work in the same way. That is doomed to failure, because people quite simply do not work in the same way. Knowledge work is not like assembly line work.
To take an example from my own industry, I spend a lot of time at a customer in New Jersey. Some people go into their offices and shut the door so they can think clearly. Other people save their hardest problems for their lunchtime stroll with a colleague, out in the sunshine chatting things over with nary a whiteboard in sight. Some folks like the collaboration spaces where they can sniff markers^W^W draw network diagrams and think visually. Some folks find offices an endless source of distraction, gossip and nonsense and prefer to work in their garden shed.
In the end, is that really so hard to understand? You either produce good work, and get on with your colleagues, or you don't, in which cases sayonara.
"Telling everyone she is an expert": No, she is just trying to get her job done.
"Over-inflated ego": No, she is just trying to get her job done.
It doesn't matter whether she is the janitor or the chief engineer, or, for that matter, whether she is a expert in reliability engineering or not. She has evidence of sexual emails from her boss, which any adult knows is out of order in the workplace. Getting no backup from HR is a red flag. Getting no backup from HR because they want to protect a favored employee is full on run-for-the-hills territory.
While we're on the subject of TI...
What in creation is up with the TI-84 calculator? It's one of the ugliest, slowest, most retro pieces of computing power I've ever seen...yet all the kids textbooks use it and TI seem to have a lock on the market. As a Euro transplant to the US it blows my mind that people still make kids use them.
Are you for real, Chris Mellor?
Is author "Chris Mellor" as real person, or is this one of those articles written by an AI bot?
C'mon, man, you work for The Register. You're supposed to know something about this stuff and (main reason we read El Reg) see all vendor pitches with a witty, fair but slightly jaundiced eye.
You are *not* supposed to breathlessly paste their slides and fluff into an article as if that nice Mr Moses had just given you two tablets and asked you to compile a Top Ten list.
You didn't think that storing a sequence of bytes with a shorter sequence of bytes might already have been invented? And refined dozens of times in various algorithms?
You didn't think that a system where the data could only ever be read by the system that stored it screamed lock-in and eventual obsolescence?
You reported, without comment, the vendor's claim that a data replication technology that did not exist at the time of the demo would "blow peoples minds".
You went looking for independent verification of their claims, and spoke to...the CEO, CTO and one of their investors?
That's it? That's your journalism?
I wish IRIS nothing but the best, but this was feeble work by El Reg's standards. Send Trevor Potts to the next one please. He knows how to test storage. and if you ask nicely, he won't always set it alight.
Hacker tools? wha?
One AC here wants to throw the book at Comverse because they believe they sell hacker tools to the guvmint. That is not what Comverse did or do. But Comverse have quite a convoluted history that is worth spelling out so that people see that it is not quite as defunct as you might think.
Once upon a time there was Comverse Technology, one of those Israeli startups that grow out of their military-industrial complex. They did a good line in voicemail, SMS server technology and lawful intercept. Our man Kobi here ran this gig. The lawful intercept was not hacker tools but CALEA stuff: you show up with a warrant and the phone company use the software to tap the call.
Comverse then imploded with the stock options scandal and out of the ashes came Xura and Verint. Verint still do the lawful intercept stuff. Xura, well no one quite knows what they do. They mopped up Acision and mopped up Mavenir, a provider of IMS software to telcos (who themselves had just been jettisoned by Mitel). The guy who founded Mavenir now runs Xura.
Clear as mud? I thought so.
Maybe a cup of tea will help
People use "issuance of advisories" as a proxy for "taking security seriously" but they are definitely not the same. However, the onus is on the Xen project team to prove that. It's not enough to say, "well, of course we do!" They need to show by their actions that this is the case. For example: a security audit of the code; participation in CTFs/bounty programs; partnership with major cloud folks to review Xen security. And so on.
By way of comparison, the OpenBSD team are constantly fixing issues with potential security impact but they do not issue CVE advisories on each one: however, their active reputation (in no small part earned by activities such as the above) still leads them to be highly rated in the security space.
I know AS/400 (sorry, IBM i) isn't trendy, or fashionable, but I have deep respect for it. Like VMS, it Just Works, and many of the ideas in it are really stellar (e.g. cpu architecture independence without recompilation!) - all the more so when you consider when it was developed. Long may it continue.
Re: The company I work for went through this
A challenge on this quote: "There are a lot more Windows sys admins and technicians than Linux ones, which means that the authority may be able to get away with paying less".
Is that really true these days? Windows system administration is *significantly* more advanced than, say, in the NT4 days. Powershell, GPO, WSUS, etc etc are not noddy things, they are as powerful as chainsaws. Linux administration is still fundamentally and culturally a GUI+config file affair, and the explosion in the cloud/devops way of doing things has led to a generation of kids who can do this.
Not arguing, but I think this claim is worthy of more investigation. Trevor Potts, where are you?
Re: Replacing Linux with Windows, based on *cost*?
OK, I'll bite, since I would love to ditch Outlook, but have not found an alternative.
1. UI. Outlook's UI isn't stellar, but it's very flexible. Multipane windows, instant switching between contacts, tasks, calendar and mail, message preview, search shortcuts, these are all things that Outlook users rely on.
2. Programmability. Outlook has a rich set of third-party plugins that no one else can offer. Need to schedule WebEx sessions from within the client? Send info to your CRM platform? Outlook is the only game in town. There is also the ability to script outlook using VBA, which we use to write simple plugins that connect to our internal systems (eg see a message from X, press a button and it opens a support ticket on our web portal and inserts the message text). I imagine that less than 1% of users worldwide program Outlook like this, but still, it is important to us.
3. The calendaring function is really smoothly integrated with the messaging client. Nothing I've seen on Linux comes close to Outlook's ease of corraling multiple coworkers in different time zones plus the rooms and resources needed for a meeting.
Re: Not work but...
In the OP's defense I would like to cite the Toshiba Satellite Pro, which tends to throw a major league hissy fit and prevent access to the BIOS menu when it sees something it doesn't like. I know this because I just spent a few hours trying to get to the BIOS to reinstall Windows on a new HDD. No more Toshibas are now permitted in the Ajob household.
Damned if you do, damned if you don't
All careers end in failure. Remember that. You will never, ever, get all that you wanted done. And you can't please all the people all of the time. Or even some of the time.
With that in mind, this missive from the CEO sounds a lot better than the usual sterilized nonsense, and for those that point out that 21% of CEOs are nut jobs, well, 79% of them were not. So let's give the guy some credit for trying. Or would you prefer to sit in the peanut gallery, take potshots and encourage the next letter writer to spout pablum?
There are good workers, and there are not-so-good workers. That is all
A muppet in the office is a muppet when they telecommute. These are the people who show up late to conference calls, send you email late on a Sunday night when you asked for it by Friday, who can never seem to get WebEx/Connect/GoToMeeting running on their PC (for the love of God, why??), and who mysteriously never seem to be online in your corporate IM/phone system.
A star in the office is a star when they telecommute. They manage to do the school run and get to a quiet place to take a call at 9am. They are professionally indistinguishable on conf calls from someone sitting in at office at HQ. They text you if they see something but cant act on it so you are not left hanging for hours. They take time to work at relationships because they know it's hard being a remote worker.
IBM are absolutely right when they admit that some energy and watercooler effects are lost when everyone telecommutes. But the solution to that is to manage the situation, not to ban it. Fire the muppets and treat the rest with respect. The end.
"Trump!" said the elephant
Elephant in the room: Saudi Arabia. When President Trump deals with the Saudis on the same terms as he does with the Iranians, I'll believe he's serious.
Frankly my experience has been that the Iranians are quite sensible, but the Saudis have a firm grasp on the President's balls (and the last one, and the one before that, and)...and, having a shared passion for money, he seems to like it.
why the witch-hunt?
As a former Exchange admin I can tell you that mistakes sometimes happen. So I would separate distaste for Accenture from the observation that there but for the grace of god go I. A mis-config is a mis-config, it could just as well have been a screwup on qmail and dovecot as on Exchange.
The real solution is to educate users that when they get a message that is not for them, they either delete it or they reply directly. That rule is drummed into our employees here for good reason. (Second rule: if you want someone to do something, they go in the To: field and not the Cc one. Helps immensely with inbox filtering.)
How should the history of computing be recorded? Discuss.
It's incredible to me that humankind's most significant invention since the airplane is also it's least documented and has led to everything it created being similarly at risk. Historians of AD2100 will realize there is a giant void starting in around 1990 where no historical records survive. Historians of AD3100 will have long debates about whether a 3.5" floppy disk is really a type of weapon or a digging implement. If you don't believe go to your nearest archaeological museum and marvel at how little we know about societies that did not use permanent written records.
AV is doomed to failure
An AV package needs to scan, in real time, every input source of the computer - network, USB ports, floppy disks (for your nana in Iowa) etc. No AV package can do this without materially affecting the performance of said computer. Doesn't matter whose it is. Sure you can pull tricks like heuristic scanning but that's really a bandaid - a heuristic is basically an intelligent guess based on experience that allows the package to shortcut the full scan function. So not perfect, and never will be.
Compounding the problem is that most AV packages are aggressively horrible: buggy, difficult to manage, and reeking of money-grubbing (I find AVs' prompts to try/buy and their ordering systems bizarrely mirror the look and feel of the very kind of dodgy malware they purport to defend against - almost like they were written by the same people). I would rather have imperfect Windows Defender baked into the OS than some sh**ware from Symantec. It occurs to me that with MSFT's penchant for data collection they are also in a position to start doing behavioral analysis on network connections too, like CC companies do. If my nana's PC in Iowa suddenly starts making TCP connections to a server in a faroff country, wouldn't that strike you as a little odd?
IoT is not industrial automation/control
Software to control a oil rig drilling assembly, or managing the control surfaces on a jet plane, that's industrial automation. You don't fanny about because mistakes get your CEO dragged in front of Congress, people die and your share price tanks. Hence Ada, mil-spec and all the usual safety-first standards.
This works when you can sell your software for millions of dollars.
IoT is nothing like that. Software is written to be cheap, on sensors that are even cheaper. No one is writing code to defend against cosmic-ray induced memory corruption, or fuzzy inputs, or indeed anything that is not strictly what the designer hoped would be a normal day in Peoria.
There will never be adequate security in this sort of consumer grade fluff, because the dollars to make it so aren't there.
Ergo, avoid IoT if you want to have a secure and safe home environment. And when you fly, hope that your plane's programmers learnt the professional standards and not the IoT ones...
Props....now what about SMTP?
Kudos to the developers of Dovecot.
I wonder how the current breed of SMTP servers would hold up? Postfix, qmail and friends were built to overcome the woeful reputation of sendmail, but even they are 20+ years old now and the attacks are different from what we saw in the 1990s. How well do they stack up?
Another lost opportunity
This sort of thing drives me crazy. Department A of the Federal Government is desperate for computing talent to fight off the bad guys. Department B of the Federal Government is locking them up. Cmon now, would a plea deal have been so hard? Or 10,000 hours community service working for a three-letter agency?
Instead, some young man's life is going to be scribbled on, hard, by the crims in the penitentiary. Sad.
Re: With the exception of the Master Race...
Office and Outlook. That's it. Yes, LibreOffice and <insert choice of mail client> exists. But they are just not yet good enough to score really significant design wins...the ones that get written up in Forbes as saving the organization big bucks. When someone like Ford, Boeing or AT&T successfully dump Office/Outlook, then the ball really starts moving. Until then, it's El Reg readers and other brave souls only.
I try really hard to use Linux for everything, but it's always Office and Outlook that drag me back. Horrible.
I see the Xmas spirit has run dry...
This is going to sound like I am an MSFT shill, but bear with me. Yes, Windows 10 is a bodge job. Try explaining, for example, where a user should look for wireless settings, and its obvious that they collided the Win 7 truck with the Win 8 one and prayed the results would be shippable.
But: what exactly was Satya Nadella to do? He inherited a giant, no, colossal steaming pile from Ballmer. Share price down. Late in mobile after the disaster of WinMo. Late in public cloud. Linux on AWS the de facto choice for all the new innovative companies. Bankers and press circling waiting to write Microsoft off. Windows 8 / Metro universally hated. Security issues cropping up like whack-a-mole. Apple resurgent.
I am not a huge fan of Win 10. But I give Nadella a lot of credit for turning Microsoft around and doing something --albeit imperfectly-- on all the platforms that matter. Can you imagine Ballmer greenlighting Outlook on Android or SQL Server on Linux?
Ridiculousness on both sides?
As ever, cui bono?
- Being able to read but not modify data from anything you own should be a fundamental right. I know manufacturers are always trying to cut off this access, but that's the spirit of OBD. Obvs, manufacturers and dealers hate it because they make no money off someone coming in whose already IDed the problem and simply wants the part or the fix made, compared to someone who hasn't.
- Being able to modify software is something the EFF would love, of course, drinking from the same stream as the Stallmanistas, but manufacturers are not unreasonably worried about liability. You may think they are also worried about $$, but let's leave that to one side for now.
- Being able to replace the software on something you bought seems like a reasonable ask, so long as it can be legally insulated from the stock software.
I suggest that the compromise is law that gives freedom to read, provides safe harbor legal protection for mfrs and lets people tinker in a clearly partitioned environment. For example: you can load your own build, but it has to be digitally signed by you and you accept that you are liable if bad things happen.
As of now, the tools that mfrs use to combat tinkering are clumsy and ridiculously heavy-handed, and play perilously close to breaking anti-trust law. For example "you can only buy from our dealers".
Re: Loyalty is for suckers
What have Indians got to do with it? They are being perfectly rational economic actors. They are taking advantage of an opportunity offered by an employer to get out of their low-pay economy and limited prospects country and come and work for significantly more in the world's most advanced economy.
If you have a beef with that, you should take it up with the US employers that choose it, and the craven Congress that allows it, not the poor schmoes just trying to support themselves and their families.
What happens when a star gets too big?
At some point the cruft overwhelms the core and the whole edifice collapses under its own weight. We finally managed to get rid of sendmail and BIND. Powerful yet large and consequently fatally compromised packages written by super smart people. In this generation we have D-Bus and systemd. Powerful yet large and consequently fatally compromised packages written by super smart people. Will we ever learn?
Systemd does a lot of good things. Complaints about this ir that service aside, that's not really the problem. The tradeoff is the benefit of entrusting your servers to large, opaque systems. For all their myriad faults, the alternatives are simpler and less opaque: sysV init being the classic and s6 being a good example of something newer.
About that server...
Since this is El Reg, someone must know the answer. What exactly was this email server? I have visions of a FreeBSD box sitting under Bill's desk at the Clinton residence, connected through his wifi and with a bit of port forwarding on the house broadband router. Is that remotely accurate? Or was it a box in a bit barn somewhere? Office 365?
I'm not getting into the politics of this...I'm just genuinely curious about what the rig was.
The story of computing is the story of "good enough" being the horse you want to bet on in the long run over the "superior" challenger.
OSI vs TCP/IP;Windows NT over various UNIX; Linux over Solaris, HP-UX; UNIX over VMS. (Mainframes are a curious exception but that is I suspect because they have done an absolutely stellar job of co-opting new movements into their universe. You've been able to run Linux on z/OS for what, 20 years?)
This trend is exacerbated by cloud computing models where you explicitly reject the "pets" model of computing and treat all your instances as cattle. Once you go down that path, all the robustness advantages of Solaris, HP-UX etc count for very little.
I will always have a soft spot for Solaris, which was a seriously good OS produced by engineers who really knew their stuff. And (back in the day) supported by great folks whose first response was not to turn it off and then on again. But the future is unquestionably Linux. The only questions now are how quickly it can get all the goodies from the past, and whether the edifice will collapse under its own weight on those somewhat shaky foundations.
Only if it's been "properly installed"
The man pages for GNU are always hilariously passive aggressive on this point.
"If the documentation has been correctly installed at your site" is what I recall it saying. But I always imagined the real meaning to be something like
"If your sysadmin has drunk the entire bottle of GNU Kool-Aid, you can find an incredibly dense manual by typing ``info foo''. But if they are a normal person who just untarred and ran, well, dear peasant, you are stuck with this man page."