Feeds

* Posts by Flocke Kroes

1322 posts • joined 19 Oct 2007

Page:

Shellshock over SMTP attacks mean you can now ignore your email

Flocke Kroes
Silver badge

501 Syntactically invalid HELO argument(s)

4
0
Flocke Kroes
Silver badge

Mutt gets so close that I decided to check

Mutt does almost everything by delegating the task to some other program selected in the ~/.muttrc file. For example, sending and email is controlled by a setting like this:

set sendmail=“/usr/sbin/sendmail -oem -oi”

man muttrc for the sendmail variable says:

"Mutt expects that the specified program interprets additional arguments as recipient addresses."

When you reply to an email, mutt creates a string by appending the recipient addresses to the sendmail variable, then getting the user's shell (probably bash) to interpret the result.

I tried changing the reply address in an email to things like $(hostname)@localhost and replying. Mutt kept sanitizing the reply address so bash never saw anything dangerous.

I had to hunt through muttrc's man page for about quarter of an hour before I found a way to get the reply address into a command line. Mutt lets you put all sorts of things into command lines, for example %h is replaced by the local hostname. The list of substitutions is different for each variable. I did not find any remotely generated strings available as substitutions in shell commands. Someone thought carefully about blocking advanced users so they cannot accidently reconfigure remote execution flaws into their mail reader.

I was surprised to find mutt was using bash. I expected it to use the 'system' function which calls /bin/sh which (on Debian systems) is a link to dash, not bash. It probably found bash in the SHELL environment variable, which defaults to bash on most Linux distributions.

Linux is covered in places where every detail can be reconfigured with a shell script. The mail system is often extremely flexible, with support for different delivery and transport agents, and multiple spam and virus checkers on incoming, outgoing and forwarded messages. I am not surprised that crackers are looking weaknesses here. There might even be one to exploit (on systems where a half-competent sysadmin has failed to do something clever).

Updating to a recent bash will block this exploit search, so if you haven't already, do it now.

11
0

Computer misuse: Brits could face LIFE IN PRISON for serious hacking offences

Flocke Kroes
Silver badge

Corruptissima re publica plurimae leges

How many laws have we got already?

1
0

Back to the ... drawing board: 'Hoverboard' will disappoint Marty McFly wannabes

Flocke Kroes
Silver badge

Saw this type of mag lev in action in 1985

Take a big coil of thick copper wire, plug it into the mains and drop it on a thick sheet of aluminium. The coil will hover and try to fall off the edge of the sheet. If you drill a hole in the sheet, the coil will hover over the hole because moving away takes it further from an edge. With two sheets, you can pretend your coil is a train, and the gap between the sheets is the track. Turn it off before the insulation on your copper wire melts. Afterwards, you can wonder why your train ticket, credit card and floppy disks (1985-style data storage device) don't work.

If you are going to try this on a copper plated surface, be sure to film it. The huge currents in a thin layer of copper will heat things up fast. What happens next depends on what you copper plated. You can get a nice bubbly effect by vaporising the resin in fibreglass. The bumps will break the copper into flakes, which will be scattered by the alternating magnetic field. Your expensive board will then drop onto the hot fibreglass resin.

Control circuits that keep the board level would have been difficult to fit on a board in 1985. Control circuits that keep the board from zooming off the edge of the conductor and the 7 minute battery life are impressive now.

15
0

Scientists skeptical of Lockheed Martin's truck-sized FUSION reactor breakthrough boast

Flocke Kroes
Silver badge

Patents

I think your right about this being a patent scam, but there are lots of things to patent. Pretend Lockheed get a pile of investors to fund a prototype-mini-tokamak-for-aircraft subsidiary. A decade from now, the subsidiary goes bankrupt, but in the mean time it has hire Lockheed to make all the parts needed for a fusion reactor (not just the tokamak), and Lockheed has got all that experience for free.

They will need big superconducting magnets, and the cryogenics to cool them.

The easiest fusion reaction is deuterium + tritium. Tritium has a half life of 8 days, so you have to make it yourself. The obvious way to make tritium is to use the neutron flux from a tokamak to break up lithium. A complete fusion reactor includes a lithium jacket and all the machinery required to separate tritium from lithium.

While we are at it, a fusion reactor creates helium, which you want to get out of the reactor before it cools things down. One of the many complicated bits of ITER is getting some of the fuel/helium mixture out, separating out the helium and pumping the fuel back in again.

Getting the fuel it is fun too. Freeze it solid and shoot in pellets of fuel with a gas gun.

Even if Lockheed has a magic tokamak design that fits on an aeroplane, all the extras needed to make it go would not fit on an aircraft carrier. Lockheed should not be comparing their device with ITER anyway. ITER is a huge steam factory to investigate the technology. The prototype for a commercial electricity generating reactor is the gigantic (fictional) DEMO.

6
0
Flocke Kroes
Silver badge

Try hunting down that NASA quote

I did ages ago. It was something like "If it works, it would be great". No-one from NASA has said "It is not a scam", which leads me to ask: Why do the E-Cat guys need to publicise a miss-quote?

The E-Cat demonstration could be faked by any competent chemist. If there was a working prototype, it would be making money by itself without investors.

16
1

Of COURSE Stephen Elop's to blame for Nokia woes, says author

Flocke Kroes
Silver badge

Pictures or it didn't happen

Where is the evidence for this "Nokia was is a death spiral before Elop" nonsense? Before Elop, Nokia had more more unit sales than Apple and Samsung combined. The picture for growth, revenue and profit is even more damning.

When Microsoft extended their (now broken) monopoly into a new market, they bought a major player in that market. They did not buy the market leader because that was to expensive. The second place player always had hopes of becoming first rate, so they were out too. A third rate company knows they are third rate and price accordingly. That has historically been Microsoft's choice. Elop set up his bonus to pay out when Nokia was sold to Microsoft. Sale to others (there were offers) would not have been in the Trojan's best interest.

I thought Elop sending Nokia all the way to tenth place instead of stopping at third was a sign of incompetence. Microsoft rewarded him anyway, so perhaps that was the plan all along.

3
1

How much is Microsoft earning from its Android taxes again?

Flocke Kroes
Silver badge

Re: @Graham Marsden

Have you got evidence of a patent that was granted and applied for properly serving a useful purpose?

4
3
Flocke Kroes
Silver badge

According to the patent lobby...

Hundreds of thousands of free software developers are reading through patent filings, and after they have read some, they are instantly ready to release software.

In the real world, programmers do not read patent filings because at best it is a complete waste of time, and at worst, triple damages for wilful infringement.

Why do we have a patent system at all?

25
3

Bored hackers flick Shellshock button to OFF as payloads shrink

Flocke Kroes
Silver badge

Number of _unique_ payloads ...

There is some evidence of boredom: the number of unique payloads peaked on the 27ᵗʰ. Before that, people were creating and debugging new exploits. After that, the only new people trying to join the party were script kiddies.

One of the fun things about this flaw was it only required basic knowledge of bash scripting, CGI and Google fu to play with on your own network. You could get results in under a minute. Having enough knowledge to route the attack through the neighbour's open wifi and Tor (or not caring about being on the NSA's shit list) cut the numbers down to about 10,000 (assuming most of them got the code right by the second attempt).

Heart bleed would have required understanding cryptography, reading the source code, developing some complex software in a compiled language and using lots of network bandwidth. Like most security flaws, it wasn't something I could play with in my tea break. Now that everyone with a clue has patched, I might have to spend all day next door to the library's wifi to find a machine vulnerable to shellshock. Only people set up to profit from a botnet are going too bother.

If there is a next round, it will involve machines that are tricky to patch. That would point at embedded systems if most of them weren't too small for bash. Apparently some NAS boxes are vulnerable, but people dumb enough to put unencrypted SAMBA or NFS on the internet store their selfies in the cloud with easy to guess forgotten password recovery questions.

2
0

Want to see the back of fossil fuels? Calm down, hippies. CAPITALISM has an answer

Flocke Kroes
Silver badge

Mass production does not help windmills

Mass production of windmills on a scale needed to meet UK government targets on renewable energy would drive up the cost of materials - if you could find a place to install them.

Years ago, you could install X mega Watts of wind capacity and expect to get 33% of X because the wind does not blow all the time. Later, that load factor dropped to 30% because all the good sites where you could get planning permission already had a windmill. These days a good site is 27%, and it is likely to be in the sea. One of the Orkney Islands was really happy about their site having a load factor of over 60% - until they found out how much a power cable to Scotland would cost them.

Windmills are not limited by a conspiracy of coal and oil merchants. They are limited by the number of good sites, and a bunch of NIMBYs blocking construction on most of the accessible sites. All the numbers you need to estimate the consequences of an energy policy are here. I am sure oil merchants would love to put the boot into renewable energy. In real life, they do not have to do a thing.

2
0
Flocke Kroes
Silver badge

Some hydrogen people are not stupid or silly

There have been a bunch of hydrogen concept vehicles dating back to the nineties, and new ones keep appearing like a hydrogen powered bicycle and a hydrogen powered tractor. The technology has advanced to the point where hydrogen vehicles are practical and even competitive in a few niche markets:

36 fuel cell buses successfully completed a three year trial in 2007.

A hydrogen internal combustion engine fork lift truck has been in production since 2008.

Hydrogen does come with all the problems you mention, but they are solvable and the cost of those solutions is falling. The difficult thing to guess is whether it will be cheapest to store hydrogen, or to combine hydrogen with carbon from CO₂ to make a more convenient fuel.

0
0
Flocke Kroes
Silver badge

Try it with some numbers

Lets start with solar power: about 1.4kWatt/m². Half the time there is a planet in the way, and it you do not live on the moon, there is an atmosphere with clouds. That trims the power available to 100Watt/m² in the UK. You can bump that up a bit if you angle your solar panels towards the sun. If you spin them once per day, you can have 200Watt/m². (Source: Sustainable energy without hot air.). I will use 100Watt/m², so you can multiply it by the area of your home without having to think about the angle of your roof.

A small car can go about 17km with a litre of petrol (For example: Nissan Micra). Wakipedia has figures for the energy density of fuels. Petrol is 32.4MJoules/litre, so I can go 523m with 1MJ of petrol. 1MJ of hydrogen should take me about the same distance. Each square metre of land gives me on average 100x60x60x24=8640000J per day of solar energy. Converting to hydrogen is 12.3% efficient, so I can go about ½ km per day for each square metre of roof.

If I covered 5 by 6 paces of roof with solar→hydrogen panels I would get enough hydrogen for my transport. Someone else in the house could sensibly run a car too, but a third driver requires covering the garden.

Remember: solar power costs the most lives per mega Watt of installed capacity because DIY installers fall of the roof. Hydrogen/Air mixtures are really good at going bang. Test you hydrogen leak detectors regularly.

0
0

SPECIAL iPHONE TROUSERS will ease Apple into the fashion world

Flocke Kroes
Silver badge

If Darryl's fashion tip catches on ...

The news group posts might be genuine:

dict 'baggy pantsing'

0
0

Nicked iCloud snaps: Celebrities were 'dumb' – new EU digi boss

Flocke Kroes
Silver badge

Stupid was a poor word choice

It causes a defensive reaction, which does not lead to people learning how to protect themselves.

A better word choice would be computer illiterate - especially if it is understood that the level of competence required to keep private data secret on an internet connected device is 'computing professional' at minimum. For high value data, that should be uprated to 'computer security specialist'.

Most people are not going to go to the trouble of getting that level of computer literacy. If they have to take nude selfies, then their only hope of keeping them secret is to use a camera with no radio, and not to view the photos on any device with an internet connection or enough storage to hold a copy. While we are at it, a reminder that cameras can only be assumed to be off when the lens cover is on. Getting people to listen to that message is difficult if you start by saying "You're so dumb."

3
0

Scrapping the Human Rights Act: What about privacy and freedom of expression?

Flocke Kroes
Silver badge

Will the preaching hate law ...

... apply to politicians?

37
0

SMASH the Bash bug! Apple and Red Hat scramble for patch batches

Flocke Kroes
Silver badge

Because the flaws were very different

The first flaw was that when bash imported a valid function from the environment, it interpreted anything after the function as a bash script.

The second flaw was if the function definition in an environment variable started out correct, but contained a certain type of invalid syntax in the middle, followed by the character '>' which redirects stdout to a file and a \ at the end to say that the rest of the command is 'on the next line of input', then bash would keep the '>' and put it at the start of the next line of text to be interpreted. Normally, the first word in a line of bash is a command, followed by its arguments. Redirecting stdout can be placed anywhere, and the '>' and file name are removed from the text so they do not show up as an argument for the command.

That second flaw is a radically different path through the code that handles an odd corner case. It is not surprising that people concentrating on fixing a different problem while keeping as much as possible of the interpreter the same (to avoid breaking any bash scripts) missed this.

Bash collected handy features because they were useful on the command line. Years ago, sh was often a link to bash so those features would be available to all the scripts in the operating system, and would be available when one command starts another with the 'system' C library function. All those handy features created a large attack surface, which was dealt with in multiple ways:

The 'system' library function became unfashionable. Programmers should use something like 'execve' instead, which does not invoke 'sh'. The link from sh to bash changed to point at a cut down shell like ash. Bash could continue to grow handy features, but ash remained small and easier to audit for security issues. Part of the reason bash had a major flaw for decades was that people were looking at ash and its derivatives instead. Security researchers did not expect bash to be used where security was required.

62
2

Oracle SHELLSHOCKER - data titan lists unpatchables

Flocke Kroes
Silver badge

Perhaps someone familiar with Oracle products can tell me...

Are these 32 products with bash installed, or 32 products that I can remotely convince to run bash with my choice of data in an environment variable?

At a brief glance, at least some of these products allow a competent sysadmin to download the source code for bash, apply a patch, compile and install a fixed version - all without any help from Oracle. Is this true of all 32?

4
0
Flocke Kroes
Silver badge

Do your research before you buy

Firstly - do you actually have an embedded device with bash installed? Bash is big, and if embedded devices have a shell at all it is usually one of the mini ones like lash which is not vulnerable to this flaw.

Secondly, pretend a flaw is found in lash tomorrow, and you have a device for which you cannot download the source code, apply a patch, cross compile and install new firmware. <shouting>Why did you buy it?</shouting>. There are plenty of hackable devices out there. If you want a router, pick one that is easy to install openwrt on. The reason locked down devices exist at all is because people buy them. Stop it at once, or you have to pay whatever the vendor demands for updates.

9
5

Stunned by Shellshock Bash bug? Patch all you can – or be punished

Flocke Kroes
Silver badge

Checking the TV

I did a web search before purchase and picked one that was hackable. There is a magic sequence of buttons on the remote control that gives you the service/retail menu. One of the options enables shell access on a serial port on two unused pins on the VGA input. Just solder a VGA connector to a 3.3V serial to USB converter, plug it into your Pi and start miniterm. I picked an old TV, so most of the work had already been posted on the internet already. Take a look here to see what sort of things are available.

I strongly recommend searching for a hackable device before purchase - especially for long lifetime items like a TV. If you cannot recompile and install the firmware yourself then you are dependant on the vendor producing patches. Plenty of vendors think that ending support for a product is a good way to force users to buy a new toy. Just imagine how bad things would get if computers used secure boot so people could not install their own BIOS...

7
0
Flocke Kroes
Silver badge

CVE-2014-7169

Was fixed on Debian and Rasbian before this article appeared.

Anyone vulnerable embedded system? My TV and router do not have bash installed.

1
1

Bash bug: Shellshocked yet? You will be ... when this goes WORM

Flocke Kroes
Silver badge

It is nastier than that

Using the CGI attack vector, the web server will un-url-escape a string I supply and put it into an environment variable. The CGI script is expecting an unescaped string, so the standard does not provide a way to prevent my choice of string going into an environment variable.

Bash provides a mechanism to export bash functions to a bash sub-process. Bash assumes any environment starting with '() {' is a function. Defining a bash function is part of the bash language, and bash uses the bash interpreter to convert the environment variable into a function definition. The bad news is that the interpreter did not stop at the end of the function definition. Extra text in the environment variable after a function definition gets interpreted just like a bash script.

If a web server has a vulnerable version of bash, and a CGI script either written in bash or using a bash sub-process that receives the CGI environment then remote users can execute their own bash scripts with the authority of the web server.

The obvious places to prevent this are any of these:

*) make bash stop interpreting function definitions at the end of the function definition.

*) use something like fastcgi which passes parameters through file descriptors instead of environment variables.

*) Do not write write CGI scripts in bash AND ensure that the environment is sanitized before starting a bash sub-process.

5
0
Flocke Kroes
Silver badge

Lots of sites have man-pages

The first google search I tried, three of the first four sites use a CGI bash script to return search results for man pages. Those sites either have already, or urgently need to replace bash.

1
0
Flocke Kroes
Silver badge

Depends...

If there was some way to remotely pass environment variables through bash, then yes, you might already have been screwed. I would expect that there is a patched version available for OSX by now. Go find it.

2
3
Flocke Kroes
Silver badge

Important, but easily fixed

You do not need to get you vendor to tell you if you are affected. Just type:

x='() { :; } ; echo shellshockable' bash -c 'echo test'

If you updated your software last night (this morning for Rasbian) you will get:

bash: error importing function definition for `x'

My router says:

/bin/sh: bash: not found

Embedded systems often use one of the trimmed down shells available with Busybox. Ash and lash are not vulnerable.

This is important, as CGI passes parameters to through the environment, CGI scripts can be written in bash and it is easy to install vast amounts of software on a Linux system, some of which might still use '90s tech because it did not break every time a vendor required their users to buy an upgrade. If you need to test some embedded system without any obvious access to the shell, try a google search for your device's name with the word 'telnet'. If you actually find one that uses bash, and the vendor does not have new firmware ready by tonight, look for a replacement that can run openwrt.

5
0

Heatmiser digital thermostat users: For pity's sake, DON'T SWITCH ON the WI-FI

Flocke Kroes
Silver badge

The usual trick

PHB asks for proof of concept demo software to get some investment. Funds are needed urgently, so "You can save time by not bothering with security." When that version is delivered, the software 'works', so it must be 'complete', and there is no need to waste time or money on changes that only matter to engineers. PHB will ship it as is.

9
1

Exercise-tracking app not QUITE fit for purpose

Flocke Kroes
Silver badge

It has caused trouble once ...

... trying to buy a large TV. Someone claiming to be the supplier called me and asked security questions which I refused to answer on the grounds that I had no idea who she was. The concept that she had to prove her identity to me was beyond her. The supplier had no provision for a customer phoning in to answer security questions. The next supplier was just as bad. The third supplier would not accept my credit card because of 'failed transactions'. I ended up going to the shop and paying cash. I think that is far less hassle than someone getting a loan for me and withdrawing £40,000.

2
0
Flocke Kroes
Silver badge

I thought date of birth was like a password

You do not give the same date of birth to different websites / companies / banks. You keep dates of birth in your encrypted password file along with email addresses and password recovery questions you got from strings /dev/urandom | less

4
0

Monitors monitor's monitoring finds touch screens have 0.4% market share

Flocke Kroes
Silver badge

The 'thought' process is easy to understand

Microsoft's market is the desktop (with a few servers and one token super computer). The desktop market is dwindling in favour of phones and a few tablets. Phones and tablets are Linux and iOS, so if Microsoft do nothing they will become a small niche with prices shooting up as costs get divided by an ever decreasing number of users.

To avoid that, Microsoft must enter the phone/tablet market at any cost - no matter how many desktop users they drive to distraction. If they fail, people will use Libreoffice on their phones and desktop users will have to install it too because Microsoft need to maintain incompatibility. The plan was to require third party developers to convert their software to a touch interface so the same software would work well on a tablet and a desktop. The plan is obviously catastrophic, but Microsoft were that desperate. Now the costs are clear Microsoft will back off until the next big disaster.

When people start plugging their phones into a keyboard and monitor to write documents instead of buying a desktop, you will see TIFKAM wheeled back out with the same results as before.

3
5

Spies would need SUPER POWERS to tap undersea cables

Flocke Kroes
Silver badge

The big advantage of working under water ...

... is the enormous cost. You could hide all sorts of dodgy expenses in a budget like that.

The power supply is really easy to deal with. Send a fishing boat out to drop a sharpened anchor on one side of the cable and sail to the other side. You then have plenty of time to install your tap while the cable's owner dispatches a repair ship.

0
0

Wanna keep your data for 1,000 YEARS? No? Hard luck, HDS wants you to anyway

Flocke Kroes
Silver badge

SSD

Without power, an SSD will eventually collect more bit flips than the error correction can recover. With power, the firmware can read through all sectors, and re-write the ones that were hard to read. Eventually that re-writing will wear out all the reserve capacity and the device will lose data. The manufacturers can plot a graph of life time verses temperature for high temperatures and extrapolate a guess at the life time for sensible temperatures. Real figures take years to collect, and by that time people have moved on to the next generation of technology.

Ages ago I read about an archive project that wrote new firmware for their disk drives. The firmware automatically distributed copies of the data across the array and monitored the health of the other drives. As long as people swap worn out drives for new ones, the data should stay in the archive, and upgrading to newer technology can be done one drive at a time. The most obvious points of failure are lack of funding and someone accidently deleting everything. I still have more confidence in that lasting 50 years than 1000 year optical disks.

4
0

'Windows 9' LEAK: Microsoft's playing catchup with Linux

Flocke Kroes
Silver badge

@Def - case insensitive file systems

Most of the users I have met have difficulty typing file name at all. They click on file names, so there is no issue with them typing them with the wrong case. In the unlikely event that a user ever types a file name, the mail user agent or word processor or whatever could do a case insensitive search if a case sensitive search fails. By all means, put such functionality into the file selector of whatever tool GUI tool kit you like so applications behave consistently. All of this can work fine, without the file system driver knowing a thing about unicode.

Now take a look at what happens when some utterly clueless PHB says that the file system driver has to do case insensitive matching. For example 'dz'. If your browser and font system are reasonably modern, that example should look like 'dz', but if you try to select just the d or z, you should get none or both at once because dz is a single letter. If you capitalise a whole word that includes dz, you need a DZ. If you only want initial capitals then you need Dz. Things go rapidly down hill when you come across dž, ʥ, ʤ and ʣ (look closely and you will see the letters are closer together in ʣ than in dz). Unicode has plenty of stuff like this, and the number of corner cases grows with each version.

Outside the Microsoft ghetto, operating systems can handle dozens of different file systems. Putting this crap into every file system driver would be insane. Even worse, when a file system driver updates to a new version of unicode, some things that used to match will stop matching and other previously distinct names will match. Piles of automated software that used to work fine will start breaking depending on the file system in use, the version of its driver and the language used to name files.

Years ago, Microsoft software put the clocks back an hour at the end of daylight saving time. Because Microsoft thought is was a good idea for the system time to be the same as local time, an hour later they put the clocks back again, and again... That bit of stupidity caused a day of pandemonium in each country that uses daylight saving time until the problem was fixed. On the plus side, the failures were sufficiently widespread and synchronous to hit the news so people understood what was going on, and how to deal with it. Case insensitive file system drivers problems do not hit entire countries on the same day, so they do not make the news. There are still people out there who do not understand why that badly designed feature is such a can of worms.

5
2

DARPA-backed jetpack prototype built to make soldiers run faster

Flocke Kroes
Silver badge

DARPA has a budget problem: How to spend it fast enough

Jets are loud. Small jets are really loud. I bet this one just screams 'shoot me' to everyone within a mile. After running a mile, the soldier is knackered and has a hefty burning hot jet pack with no fuel strapped to his back.

9
0

CNN 'tech analyst' on NAKED CELEBS: WHO IS this mystery '4chan' PERSON?

Flocke Kroes
Silver badge

The other trick that stumps all hackers

Turn the keyboard upside down and type: pɹoʍƨƨɐd

52
1

Discovery BATTLED 2-foot-long WEE ICICLE on first mission - 30 years ago today

Flocke Kroes
Silver badge

Much easier to understand if you know what temperature is

Temperature is proportional to the average energy per particle. Touch a piece of metal on a cold day, and it has lots of cold particles. Your fingers warm them up, and they warm up the ones next to them so it takes a long time to heat the metal under your fingers up to near you body temperature. If you touch a piece of sponge on a cold day, as it is mostly air it has far fewer particles. Air conducts heat badly, so the heat stays near your fingers. Air expands when heated, becomes less dense and floats away drawing fresh cold air into place. Sponge traps air in place, so there are no convection currents. If you touch a piece of metal and a piece of sponge both at 1⁰C at the same time the sponge feels warmer because the part of the sponge in contact with your fingers gets close to body temperature very fast.

Space is almost empty, so its temperature depends on a tiny number of particles. As there are so few particles, there is nothing to conduct heat from on place to another. In a circular orbit, the force of gravity gives precisely the acceleration required to go round in a circle. Everything falls together, so hot air does not rise in orbit and there are no convection currents.

This is a bit of a problem for an astronaut in a space suit. Live humans produce about 100W of heat when idle. If this stayed inside the space suit, the temperature inside would rise until the astronaut died - then it would keep rising until the bacteria decomposing his body died too. You can demonstrate the solution by quickly pumping up a bicycle tyre. The end of the pump gets hot because compressing air increases its temperature. Likewise, when air expands its temperature falls. Space suits pump heat to one place, and let the air slowly leak out there. The hot air carries heat away into space, and its expansion into vacuum cools the space suit.

The last thing we need to understand before we make wee icicles is the boiling point of water. Water molecules attract each other, and that attraction keeps most of them together. The fastest ones can escape from the others and fly off. The fastest ones are the ones with the most energy, so when they go, the average energy per particle falls. Those of you who are still awake will remember that average energy per particle is proportional to temperature, so when some water evaporates, the water left behind gets colder. Evaporation is only half the story. Water molecules in the atmosphere bounce all over the place, and some of them crash into puddles of water. The attraction between water molecules pulls them in hard and increases the velocity, which is a type of energy. When the number of water molecules leaving by evaporation is much higher than the number of water molecules arriving by condensation, the water boils. Reducing the pressure reduces the number of molecules that can arrive by condensation, so the water boils at a lower temperature.

If we still taught physics in school these days, people would understand what happens when an astronaut flushes the toilet. When the urine is piped out into space, the pressure falls and that reduces the boiling point. Boiling pee looses its most energetic particles so its temperature falls until it freezes. As space is almost empty, its temperature does not matter as heat cannot conduct or convect from space to or from the wee icicle. Heat can move in space by radiation. Solar radiation can heat an icicle and that heat cannot escape by convection or conduction into space. The only thing keeping the icicle cool is when the most energetic water molecules leap off into space. Eventually the icicle becomes thin enough to break off without damaging anything.

12
0

NASA to reformat Opportunity rover's memory from 125 million miles away

Flocke Kroes
Silver badge

Re: Patch Tuesday

They have Sol Martis.

4
0

BOFH: The current value of our IT ASSets? Minus eleventy-seven...

Flocke Kroes
Silver badge

You know inventory day is approaching ...

... when every set of scales goes missing at the same time.

PFY: "You want me to count these washers?"

PHB: "Yes."

PFY: "Really count a bag full of washers?"

PHB: "Yes, we must have a complete and accurate record of our inventory."

Bin: "Clonk."

PFY: "We have 0 washers."

PHB: "Did you just throw that bag of washers in the bin?"

PFY: "Yes. I will order a bag of 1000 tomorrow. It will be cheaper than counting them."

PHB: "Fine."

Now I know... if there are no scales on the shelf in the calibration office, bring your own set in tomorrow.

30
0

One step closer to ROBOT BUTLERS: Dyson flashes vid of VACUUM SUCKER bot

Flocke Kroes
Silver badge

This being Dyson ...

In five years time, Dyson will sue Roomba for patent infringement. Oh wait ... that would be like Apple too.

5
0

HP: We're still running the ARM race with Moonshot servers

Flocke Kroes
Silver badge

1 & 2 GB Arms

There is now a selection of 1 and 2GB 32 bit Arms. Take a look here.

At those prices, techies can play with them and get a feel for what they are capable of. When a task matches a machine I have tried, I can select a 32-bit ARM with confidence and save money and power compared to a low end X86.

I have yet to even here rumours of cheap 64-bit Arm boards. Perhaps something will turn up in 2016.

0
1

Super Cali signs a kill-switch, campaigners say it's atrocious

Flocke Kroes
Silver badge

@Eugene Crosser

Put the IMEI in PROM and no-one can change it. Change the firmware so it does not read the PROM and and the IMEI is whatever the firmware decides it should be. The real danger of this law is it requires UEFI or something equivalent so you cannot jailbreak your phone.

1
0

Cleversafe CEO: We would tell you about the 8TB drive, but...

Flocke Kroes
Silver badge

When 2MP is or isn't enough

If you are looking at the whole picture, 2MP is fine. If you step up close to the picture, ideally the part you are looking at should be about 2MP, so the full image should be bigger. 4k TV is pointless because you look at the whole screen. A 4k monitor can be pointy if you like to have 4 x 2MP diagrams in front of you at the same time.

0
3

6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)

Flocke Kroes
Silver badge

Click back?

I set middle click to open the link in a new tab and not switch to it. I middle click on the links that look interesting, then close the tab. Waiting for a page to load is thoroughly last millennium. "Clicking back" and waiting to a page I have already seen to reload sounds like a complete waste of life. Have Facebook users really not learned Noddy level browser use, or is this the brainfart of a PHB?

7
2

Red Hat: ARM servers will come when people crank out chips like AMD's 64-bit Seattle

Flocke Kroes
Silver badge

I agree, I would rather have FDT than UEFI

UEFI usually means no documentation, soldered down firmware, hoping for vendor updates to remove some of the bugs and praying the device does not get bricked during a firmware update. Lack of UEFI means there may or may not be good documentation, and the firmware may or may not be on standard removable media. I have been voting with my wallet. I am sure I am not the only one because the embedded system market has been creeping and lurching in the right direction.

4
0

Claim: Microsoft Alt-F4'd Chilean government open-source install bid

Flocke Kroes
Silver badge

So Microsoft is saying ...

... buying proprietary software cannot be justified.

22
2

TRANSMUTATION claims US LENR company

Flocke Kroes
Silver badge

I thought I recognised this as previously debunked junk

I went to the website, pointed my browser at 'theorypaper9-4.pdf' and got and empty file. wget says 403 forbidden so the EmDrive fully lived up to my expectations. There is a 'principle of operation' page. The diagram has changed since last time.

Before, the magic chamber was a triangle, and the mathematics showed that the force on the roof was smaller than the sum of the forces on the other two sides. The mathematics conveniently used scaler addition, even though all three forces were in different directions. The correct mathematics would have summed the vertical components of the three forces and got the inconvenient result of 0. Despite the glaring defect in the mathematics, the project was still funded by the UK government.

This time, the picture is a trapezium, and the hand waving fuzzy argument talks about an EM wave with a 'large velocity difference at the reflector surfaces'. Electromagnetic waves all travel at the same velocity in vacuum. To get a velocity difference, you need two different materials, or a mixture of materials that smoothly changes composition with distance. As reading the theory is forbidden, I can only guess at the technique used to hide the defective mathematics. The way I would do it is to focus on the radiation pressure from reflection at the two ends and not mention the force on the (unshown) graded material in the middle.

14
0

Don't even THINK about copyright violation, says Indian state

Flocke Kroes
Silver badge

They are just following the UK's existing laws

According to the MPAA, bootleg DVDs fund terrorism. If you are suspected of terrorism in the UK, you can be held without being charged for 28 days (The plan was for 90 days but we have been spared that for the time being).

11
1

Intel's Raspberry Pi rival Galileo can now run Windows

Flocke Kroes
Silver badge

What software will it run?

Back when X86-64 was shiny and new, Windows did not run on it. Eventually Microsoft ported Windows. 64-bit drivers usually arrived when manufacturers released new products and all Windows applications were 32-bit for years for compatibility with the large installed base of 32-bit machines. AFAIK, Windows developers now target X86-64. What happens when you try to buy 32-bit software for Windows?

6
2

MPs to gaze upon biometric data industry's ID-gobbling tech

Flocke Kroes
Silver badge

Of course new laws are required

1) A finger print left by a 3D-printed fake finger at a crime scene should be sufficient to convict anyone but a politician.

2) A phone company should be able to use your finger print with your bank if you forget to pay your bill.

3) All biometric data should be sent to GCHQ in case they need to impersonate you.

4) Wearing a Theresa May face mask should be an offence punishable by summary execution because you must be a terrorist.

Did I miss anything?

18
0

AMD's first 64-bit ARM cores star in ... Heatless in Seattle*

Flocke Kroes
Silver badge

X86 RISC core

Intel tried non-x86 instruction sets before. Have you even heard of the i860 or i960? (Both died last millenium.) The Itanium was an unusual type of success: its announcement caused delays and reduced funding to improve existing competitive 64-bit RISC architectures. Intel won that battle before the Itanium was even delayed - let alone released as an over-priced low performance power hog. Although specialist applications were created for these CPU's, they never got economies of scale because the vast majority of customers had bought x86 binaries with no source code and did not want to buy them again - even if they could.

When AMD created AMD64, Intel copied it promptly and disabled the implementation. I think they did not want to encourage people to code for the architecture, but wanted to be ready in case it was successful. The first AMD64 CPU was released in April 2003. Linux support was ready in 2001, and X64 Windows was sold in March 2005. Sometimes new hardware even had 64-bit Windows drivers. Occasionally, developers would release 64-bit Windows software, but there was no sense of urgency.

Even if the RISC core inside Intel X86 CPUs was binary compatible from one generation to the next, Windows developers release software for new architectures slower than continental drift. In the free software world, Debian officially supports 11 different CPU architectures and has unofficial support for 9 more. (You can have confidence in AMD64, ARMEL and ARMHF. Expect anything from speed bumps to road blocks if you try to do anything useful with the other 17.)

New architectures only get Windows support five years after free software on them is so successful the Microsoft decide the need to compete. Free software targets architectures with a good price/performance ratio - especially at the low end of the market where hobbyists can pick up some cheap hardware are re-purpose it.

Intel are the world leaders in exorbitantly priced CPU's. From Intel's point of view, every cheap CPU sold means an expensive CPU isn't. They are the wrong people to introduce a new architecture, and decades of experience has hammered that lesson into their skulls.

13
0

Windows 8 market share stalls, XP at record low

Flocke Kroes
Silver badge

Bye bye UEFI

I am currently using a 1GHz armhf. It is fine for writing letters, answering email and web browsing. It is silent, tiny and under £100 - with keyboard, mouse and monitor from a dead AMD64 PC. There is a choice of these things, and none of them suffer from UEFI. (They all use forks of Das U-Boot showing various levels of hurriedness, ignorance, inexperience, lack of documentation and repair by skilled hobbyists.)

A newly released ARM small cheap desktop comes with Android or Ubuntu. Installing the distribution of your choice requires the ability to solder on serial port so you can talk to U-Boot. Machines that are a year or two old will have instructions on the web that can be followed by anyone able to read man pages.

UEFI is not a barrier for desktops. Just do your research before purchase just like you had to for graphics cards and Wifi last decade.

6
0

Page: