* Posts by Frumious Bandersnatch

2662 publicly visible posts • joined 8 Nov 2007

Europe to push new laws to access encrypted apps data

Frumious Bandersnatch

Re: If apps are intrinsicly insecure ...

Actually, I was also thinking about Bitcoin. Since the ledger is public, you can encode your "go/no-go" message using a transaction of a certain amount. I assume that wallet IDs are stored in the ledger, although it's impossible to know who they belong to unless you find it on someone's PC, which shouldn't happen if you're doing it right.

Frumious Bandersnatch

Re: and picture messaging will be banned

As someone mentioned above, it's much easier to use specific pre-arranged codes, preferably one use only. Something simple like posting an animal picture or video on a certain day, with the choice of animal (or no post at all) giving a traffic light-like status update or selecting from a set of targets, or whatever. Assuming you can meet up in person at least once without being bugged/spied on, it's trivial to pre-arrange this sort of thing and no amount of technology or anti-encryption laws can defeat it.

(Hmm... I didn't see that post that's (now) right above mine, suggesting exactly the same thing)

BDSM sex rocks Drupal world: Top dev banished for sci-fi hanky-panky

Frumious Bandersnatch

Jeez.

It's like you make one sexy Star Trek role-play video for your own private amusement, and everyone's like "I know they call it the naughties, but that sort of thing isn't acceptable"

https://www.youtube.com/watch?v=1x-ATlpqo1M

Plus, role-play is generally all that this is.

Boffins give 'D.TRUMP' an AI injection

Frumious Bandersnatch

Re: Prof. Holmes

So, pretty much the Socratic method of pedagogy.

As of today, iThings are even harder for police to probe

Frumious Bandersnatch

Re: Once glaring omission

No data checksumming, unlike ZFS.

I've no idea about whether this is true or not, but could it be that the flash controller includes bad block detection and recovery (where possible; returning an I/O error otherwise) at a lower level? If so, perhaps there's no need for duplicated functionality. Besides, I think that read errors are much less of a problem with flash: it's write endurance that's the main problem.

Frumious Bandersnatch

Re: Speed

the original Nexus 7

The solution there is to root it and periodically run fstrim. I don't think that they ever fixed that problem and even with the workaround, my tablet still falls off a performance cliff before I can run the fstrim, followed by a complete crash/reboot.

Cheap, flimsy, breakable and replaceable – yup, Ikea, you'll be right at home in the IoT world

Frumious Bandersnatch

Not Ikea, but Lego

That's what I want. I want a building block that slots in nicely, is easy to switch out, doesn't phone home (not that I'm particularly singling out Ikea on this), and connects to just the stuff that we want it to. All the ancillary stuff to do with data collection and actuation (as well as the logic glue that holds sensor nets together) should be done in a secure manner using your own properly-firewalled home network subnet (and possibly a portal via a secure VPN for secure control when outside). All this stuff about connecting to some mothership can go stick its head in a pig.

Causing excruciating pain when you step on it barefoot is optional.

Samsung plans Galaxy Note 7 fire sale

Frumious Bandersnatch

give it to us with a replacable battery

Then it might be a goer (or blower, with an added SIM)

Manufacturers reject ‘no deal’ Brexit approach

Frumious Bandersnatch

Re: Welcome to Trump.UK

The last prime minister called this election to pacify his own right wing, safe in the knowledge he'd comfortably win.

This, a hundred times. He gambled the entire country for the sake of party politics and to cement his own position. It was a spectacularly stupid gamble to take, and now all the dominoes are falling. I'd say that this is not unlike the domino effect that cause the first World War, with parochial local politics somehow managing to ensnare the whole fucking continent. The sort of clusterfuck that the EU originally set out to avoid happening again, I might add.

Frumious Bandersnatch

Re: It'll be fine

They're intransigent no matter how much it benefits them

That has still to be seen. If May, as she indicates she will do, goes into negotiations effectively saying "fuck you, we're prepared for these negotiations to fail, despite the massive collateral damage this will cause to both sides," then it's hardly a good strategy for dealing with the other member states. You brought them to the negotiating table so if you want to soften their perceived intransigence, this strategy is pretty much guaranteed to achieve the opposite.

Toshiba's nuclear power plant business runs out of steam

Frumious Bandersnatch

Hmmm

Maybe Trump could ride in on Rocinante and save all those Murcan jobs?

Astroboffins stunned by biggest brown dwarf ever seen – just a hop and a skip away (750 ly)

Frumious Bandersnatch

Re: 99.9 per cent hydrogen

ditto, but Minter was just channelling Floyd.

UK Home Sec: Give us a snoop-around for WhatApp encryption. Don't worry, we won't go into the cloud

Frumious Bandersnatch

as quoted in the Guardian

> The home secretary said it was “completely unacceptable” that

> the government could not read messages protected by end-to-end

> encryption

https://www.theguardian.com/technology/2017/mar/26/intelligence-services-access-whatsapp-amber-rudd-westminster-attack-encrypted-messaging

So not only was the cloud-related stuff as mentioned in the article here a bit fluffy, but so is the secretary's grasp of what "end-to-end" encryption means. If WhatsApp is actually end-to-end, then what the hell is ranting to the company going to achieve: they surely wouldn't be able to decrypt it even if they wanted to.

Why do GUIs jump around like a demented terrier while starting up? Am I on my own?

Frumious Bandersnatch

Spot on

The most annoying thing on Windows is with automatic updates. It goes and downloads something and pops up an alert at some random time. If you're typing something at the time and just happen to be hitting enter, it's always "yes, do shut down my machine, ignoring any unsaved work that I have, and while you're at it, why don't you make the machine unusable for the next 20 minutes". Aaagh.

Also, speaking of UI components that jump around the place for not good reason, whoever designed the UI for Netflix in a browser deserves to be shot. Stop fucking moving shit around when I mouse-over on it!

Amazing new WikiLeaks CIA bombshell: Agents can install software on Apple Macs, iPhones right in front of them

Frumious Bandersnatch

Re: Airports

> /Frumious

You rang?

Frumious Bandersnatch

Erm, but ...

You dismiss the possibility of interfering with the supply chain, but how does that square away with more recent events:

https://www.theregister.co.uk/2017/03/12/malware_infecting_androids_somewhere_in_the_supply_chain/

OK, it's apples for oranges (lemons?) and different animals on your free Chinese takeaway calendar, but still...

Good news, everyone! Two pints a day keep heart problems at bay

Frumious Bandersnatch

Re: booze is good for you

Better to think a bit after someone corrects your English and you decide to hit back by criticising their comprehension skills... You really should have said "since-defunct" (though I'm not 100% sold on the need for the hyphen here). I didn't downvote you, by the way.

Microsoft loves Linux so much, its OneDrive web app runs like a dog on Windows OS rivals

Frumious Bandersnatch

Re: Loved to Death

But it's a fair comment, AMBxx. Trump has filled many posts with people who aren't experienced or educated in the job area that they're supposed to be managing. I'm not going to look up a list, but Rex Tillerson, for one, has no experience in the public sector or the military, and yet he's been doing the rounds trying to be a diplomat. There are many other examples. The guy with control over the EPA doesn't "believe" in man-made global warming/climate change, for one. Maybe faith/believe trumps science?

I don't underestimate Trump or many of his appointees in the same way that I don't underestimate a rabid and unpredictable dog.

'Clearance sale' shows Apple's iPad is over. It's done

Frumious Bandersnatch

Re: I've said it before...

(too late to edit my last post above, so ...)

Come to think of it, chord typing could be pretty comfortable using touch sensors rather than buttons and 2-handed operation instead of one hand. Use your four fingers in the rear for ASDF + G on one side, and thumb up/down on the front to select a different row, or move to top left/top right for numbers/punctuation. Use pressure-sensitivity rather than taps to "squeeze out" the chorded key. Same thing for H + JKL; on the other hand, and two thumb squeezes together for space. It might take a little bit of getting used to for someone used to touch typing (since thumb is moved instead of fingers going up/down (in/out, relative to the edge of the screen), but it might be sufficiently similar to be able to transfer your muscle memory over.

Frumious Bandersnatch

Re: I've said it before...

Take a Nintendo Switch...

Funny enough, I had a similar idea when I was reading the article, except I was thinking of something a bit older (MicroWriter, ca. 1980). Figured it'd be best used in a two-handed configuration so you can grip the device while looking at the screen. Is eye tracking good enough that you could use it for moving a cursor or tabbing?

Ubuntu splats TITSUP bug spread in update

Frumious Bandersnatch

Chekov here: my nyetwork

is performing within operational parameters.

Gift cards or the iPhone gets it: Hackers threaten Apple with millions of remote wipes

Frumious Bandersnatch

Re: Quite ironic

"wipe it and reinstall" is indeed a painless way ...

But, Apples aren't (Windows) PCs.

Frumious Bandersnatch

Re: Simple

If it happens, apple are bad for not paying [...]if it doesn't apples are bad

Oh, no. bad apples make Apple bad? Sounds like perps are trying to shoot fish in a barrel, but not using any core vulns to pip them post paste.

Can we learn to love AI and sex robots?

Frumious Bandersnatch

Ho Ho!

Go Bambi! Go Thumper!

(xmas rule 34.007 and all that; maybe get some cheese-smelling action in later... )

Frumious Bandersnatch

Hmmm

More to the point, can we have 愛 and セックス at the same time?

(どうもありがと、マダマロボット)

Coppers 'persistently' breach data protection laws with police tech

Frumious Bandersnatch

Re: "majority of cases, the officer thinks that they are doing it for the right reasons"

And not just the police, as it happened:

http://www.irishtimes.com/news/appalling-vista-observation-stuck-1.160004

Decapitating Rockall: How a 1970s Navy expedition blasted the top off the Atlantic islet

Frumious Bandersnatch

Entertainment!

(There may be oil / under Rockall)

Git sprints carefully towards SHA-1 deprecation

Frumious Bandersnatch

> To all those saying bah to the concept of dual hashing...

I think that those doing the poo-pooing are imagining the scenario hash2(hash1(message)), and they're right to do so. If you use hash = hash1(message).hash2(message) then the strength of the resulting hash should be the product of the strength of both constituent hashes.

Frumious Bandersnatch

Re: @Deltics

An interesting feature of a perfect compression is that the output bit stream is (if one did not know that it was a compressor's output) perfectly random.

Not true, for two main reasons.

First, you're not defining what "perfectly random" means. You have an general idea of what this means, but I'm pretty sure that you're not able to back that up with maths. Also, why the hedge "if you don't know it's a compressed file"?

If you take a simple compressor that takes an input stream and does something like Lempel-Ziv-Welch (LZW) compression then you have a stream of output tokens that either encode for a verbatim section or a pointer + length symbol that refers back to a previously-seen section of the file. Both have patterns that make them distinguishable from random data.

Second, this "perfect" compression. Again, there's this terminology deficit, but a fundamental theorem of compression is that not all data can be compressed using a given compression algorithm. If a compression algorithm is to be reversible (and can accept arbitrary input) then some inputs will compress to smaller outputs (or the same size) while others will compress to larger outputs. These larger outputs (and even smaller outputs, to some degree) will tend to be at least partly systemic, meaning that some input symbols will appear verbatim in the output. The only thing that running something through a compressor proves is how good the compressor is at exploiting certain kinds of redundancy/structure in the input file, not how much entropy the input/output files have in absolute terms.

This false line of thinking (that compression outputs have to be random and uncorrelated with input) has been used before in attacks on SSL connections:

https://en.wikipedia.org/wiki/CRIME_%28security_exploit%29

Linux, not Microsoft, the real winner of Windows Server on ARM

Frumious Bandersnatch

> dominated by Intel because there was a standard configuration

Perhaps this is part of it, but I think that the more salient point is that not many attempts have been made to make and offer "server-class" ARM systems. The PC desktop/server world has been constantly evolving its Industry-Standard Architecture, bringing in new types of memory, buses and peripheral interconnect the whole time it has existed. By contrast, ARM systems tend to favour the System-on-a-Chip approach, with features that are much more suited to embedded applications than being at the centre of a peripheral-focused/interconnected ecosystem. So you tend to see soldered-on RAM instead of pluggable DIMM chips, vendor-specific emmc storage (there are no standards surrounding how to interface with this class of flash memory) and no sign at all of standard PCI, SATA buses unless it's bolted on as an afterthought (daughter card going over USB, say).

For years, this has been fine. Nobody (apart from uninformed end users who, eg, expected their Windows ARM tablets to be a drop-in replacement for their x86 equivalent) expects the ARM systems that they buy to have a PC-like ISA, apart from some obvious consumer-level interfaces like VGA/HDMI/USB. Also, all these ARM vendors have been working in their own niches with little incentive to rally round some kind of ISA for more "internal" components (equivalents to DIMM, PCI, SATA, RAID controllers, discrete GPUs, etc.). It's only recently that ARM chips/SoC are beginning to be viewed as potential competitors in the PC-like/data centre role thanks to constant improvements in single-core performance, plenty of cores, and the step up to 64-bits. And, of course, energy efficiency compared to x86 legacy systems.

I'm sure that ARM in the data centre is definitely only a case of "when", not "if". I think that the author is right that this SBSA initiative will be a huge step forward for getting vendors to rally around and produce more PC-like architectures, but I think that it's only part of the way. You need standardisation not only at the SoC level (having a standard build configuration so you know how to address all the MMIO registers and such), but also at the level of having standards for physical/electrical interconnects for pluggable DIMMs and PCI-like peripherals.

BOFH: Don't back up in anger

Frumious Bandersnatch

Re: New technical terms.

Eh, they're all perfectly cromulent words round my way.

Frumious Bandersnatch

Re: The moral of the story?

And the classic: "Do not meddle in the affairs of wizards, for they are subtle and quick to anger"

Dormant Linux kernel vulnerability finally slayed

Frumious Bandersnatch

Re: Slayed?

> "fixed" would be a better word choice all round

But, "Buffy the Vampire Fixer"? Eew. Who'd want to watch that?

Headphone batteries flame out mid-flight, ignite new Li-Ion fears

Frumious Bandersnatch

Re: RE: photo

Well said, AC. I hate it when people take offence on others' behalf.

'Jarvis' brings AI to the Linux command line, without Iron Man

Frumious Bandersnatch

Re: For example, if a developer defined MD5 as a hash ...

For one thing, if it's a de-dupe problem, then it's much more efficient to use a hash of a file than to do a pairwise comparison of all files that could have the same contents. The problem of finding duplicates would be pretty intractable otherwise. Secondly, since the total number of duplicates will most likely be very small (compared to the full population) and the de-dupe step needs to be done only once. I can put up with a bit of extra overhead if it increases safety and finds me extra disk space.

As it happens, I actually use SHA-256 (using a tool similar to shatag in Debian), but notwithstanding that, I don't think that there's a problem using MD5 as a kind of heuristic to find identical files, so long as you have a second line of validation after it. In fact, you could use one or more different hashing functions as part of the validation step here, before you delete and create hard-linked copies...

Frumious Bandersnatch

For example, if a developer defined MD5 as a hash ...

... DevSkim would show a pop-up telling the user they're making a critical error

Maybe, maybe not. What if I'm aware of its shortcomings and decide that it doesn't matter in my case. For example, I could be using it in a program to de-dupe a filesystem, but I know that before hard-linking files together I'm going to do a bit-for-bit compare on them because I'm paranoid about accidental hash collisions and my own programming errors.

Right now, I wouldn't be too concerned about using MD5 in a HMAC (hash-based message authentication code) implementation. The Wikipedia page here states "attacks on HMAC-MD5 do not seem to indicate a practical vulnerability when used as a message authentication code." Likewise, I wouldn't be too concerned about using it in a Merkle tree implementation where hash collisions are only advisory (like the file de-dupe example above) or I have other explicit measures that prevent pre-image (or whatever) attacks.

Hold 'em, don't fold 'em: How to bite Bitcoin pools

Frumious Bandersnatch

Re: house of cards question

> I guess what happens to them is the same thing that happens to all those decade+ old laptops and desktops.

Yes, the ASIC hardware is ultra-specialised, so it can really only calculate sha256(sha256(message)) < D, where "message" is the concatenation of the previous block's header, a proposed new block and a "nonce" (effectively a random number, though they are scanned in sequence).

This kind of thing is no use for, eg, breaking passwords, so if Bitcoin dies, the hardware is effectively useless.

https://www.bitcoinmining.com/ has a nice block diagram explaining this. See the "What Is Proof of Work" section.

Frumious Bandersnatch

Re: QiBitCoin

> One wonders how the arrival of quantum computing will upset these crypto-currencies.

Presumably not at all. A quick check on how Shor's algorithm (which could potentially defeat RSA) works tells me that it relies on the quantum Fourier Transform, which isn't applicable to SHA256 or hashing functions in general.

Force employees to take DNA tests for bosses? We've got a new law to make that happen, beam House Republicans

Frumious Bandersnatch

Re: Drain the swamp?

I think that anyone who uses this phrase (non-ironically) should see the film "Ikiru".

Frumious Bandersnatch

re: GATTACA

Also, Black Mirror's "Men against Fire" episode.

'Password rules are bullsh*t!' Stackoverflow Jeff's rage overflows

Frumious Bandersnatch

Re: It only makes it easier to crack...

True, there should be protections against brute-force dictionary attacks, say, by increasing the delay between attempts. On the other hand, you need "defence in depth": if the password file is lifted through some sort of vulnerability, you need (at a minimum) to have those passwords salted and hashed. Not reusing passwords across sites is another sensible level of defence. Hope for the best, but plan for the worst.

Frumious Bandersnatch

Re: Sometimes I can't use a long password

Unix password files have never stored passwords in the plain, so saying that : is disallowed because it might appear there is rubbish.

Favored Swift hits the charts: Now in top 10 programming languages

Frumious Bandersnatch

Re: Oddness in the rankings

Yeah, seeing Perl listed as first of the runner-ups in the subhead raised an eyebrow with me. Earlier in the day I'd been reading up about the decline of Perl: why it lost its spot to languages like Python (mostly) and Ruby, and whether it's effectively a legacy language like Cobol now.

I guess that it's only people of a certain vintage (dinosaurs) that still think Perl is a great language. I never bothered (fully) learning things like Java, JavaScript, Go or Python. I still find that C and Perl do everything I could ever need. On the plus side, practically any platform you can think of will have both of these available when you want them.

Lawyer defending arson suspect flees court with pants on fire

Frumious Bandersnatch

Re: Ahh colloquial meanings of words.

and a long time ago, Mork and Mindy's landlord and next-door neighbour was one Mr. Wanker. Quiet down, he had a wife, you know!

User lubed PC with butter, because pressing a button didn't work

Frumious Bandersnatch

"use a scanner to read the barcodes directly"

Or just use cddb. It does require scanning the CD's table of contents (number and length of tracks) so it needs mounting each disk (slower than a barcode read), but I suppose you're going to be ripping them anyway at some point.

Arista-cats curl up in cloudy containers

Frumious Bandersnatch

arista-cats

LOL, for natural raisins.

(search: aristocrats joke)

CIA hacking dossier leak reignites debate over vulnerability disclosure

Frumious Bandersnatch

Re: I've been saying this since the Snowden revelations came out...

I've been saying my own stuff. I remembered a post I made back in 2014.

I would say that the chickens have come home to roost, but the last time that expression made the news, it didn't go too well for the guy who used it.

That CIA exploit list in full: The good, the bad, and the very ugly

Frumious Bandersnatch

Re: Claim drain

> it's starting to look like any plan that [the Kremlin] had is coming unraveled.

Or, if you believe a certain news outlet, it's actually progressing too fast for them:

http://www.theonion.com/article/russian-officials-scrambling-plan-delegitimize-wes-55434

AMD does an Italian job on Intel, unveils 32-core, 64-thread 'Naples' CPU

Frumious Bandersnatch

Re: Multicore Performance Improvement for the PC ?

I was thinking about this as I read the article. Although this new AMD offering has better memory bandwidth than Intel's, the bandwidth per core is less. It's similar to the situation with AMD's desktop range: decent compute power, but not quite as good memory bandwidth (which matters for, eg, games that need to transfer a lot of texture data). At least that was the case when I bought my at-the-time top-of-the-range AMD A10-7870K.

Of course, it's all about making engineering trade-offs, and I think that this is something that AMD does very well. Depending on the amount of L1 cache (L2 is usually* shared across cores, so it doesn't have quite as big an impact, but is still important) and the particular workload, it should be possible for this new offering to out-perform the Intel part quite a lot of the time, as AMD is claiming with their "seismic data" chart.

As for the OS, I know that Linux (can't speak for Windows or others) scales pretty well when you throw extra cores at it. The main overheads will come from the algorithms used in applications: their memory access requirements, inter-thread/-process synchronisation patterns and whether they're written to be cache-aware.

* Actually, following a link to a previous article here, it appears that the L2 is 512Kb per core, not shared. There's also 8Mb of L3 (shared), so I could imagine using this sort of system to run a Docker farm (probably not the right word). The base OS + Docker + shared guest binaries could easily fit in L3. With a more heterogeneous collection of components (different VMs with different guest OSes, effectively like a shared-hosting scenario), there won't be as much duplicated code (or static data) so there'll be many more page faults needing to access real memory.

Top tip: Unplug your WD My Cloud boxen – now

Frumious Bandersnatch

Top tip: Unplug your WD My Cloud boxen

Also, save money by not throwing away your used-up disposable razors: instead use them for peeling potatoes!