* Posts by Paul Crawford

2164 posts • joined 15 Mar 2007

Confusion reigns as Bundestag malware clean-up staggers on

Paul Crawford
Silver badge

Re: Let me guesss...

"Idiot sysadmins...greater risk to security than an unpatched Linux or Windows machine"

Often the unpatched machines are the result of said idiots.

Sure you may find machines that can't be patched for various odd reasons (not supported and/or run special software that can't work on newer OS, etc) but for $DIETY's sake you don't have them Internet-facing or in use for email/web browsing...

1
0
Paul Crawford
Silver badge

Re: Let me guesss...

"Don't believe only the luser blindly clicking on an exe is the culprit, sometimes the real luser is the syadamin"

For most corporate networks they should have all user-writeable space set to no-execute via Windows ACLs. Apart from software developers or sysadmins, who need to execute software that is not already installed in the proper (read-only) system locations?

0
0

The time on Microsoft Azure will be: Different by a second, everywhere

Paul Crawford
Silver badge

Re: NTP isn't that much better

"PTP eliminates Ethernet latency and jitter issues through hardware time stamping"

So you have an irrelevant comparison: PTP can't work on a WAN, and on your LAN (without WiFi use or woeful congestion meaning you should upgrade your routers) you get sub-ms accuracy which is smaller than the time-slice for most software/OS task scheduling.

Also having asymmetric delays of 100ms or so is quite poor, you really ought to be using NTP sources that are 'closer' to your machine (in a network sense).

But returning to may main point made elsewhere, using time stamps which are *assumed* accurate to re-order data over a wide system is simple but also prone to clock error. Should programmers not be looking at other hand-shake and event counting methods to synchronise the *order* of events instead of trusting everyone's clock is always sufficiently close in time-keeping?

0
0
Paul Crawford
Silver badge

Re: NTP isn't that much better

NTP is better than Windows SNTP by many order of magnitude

A typical Windows installation (thinking desktop here) has, by default, a time set once per week - so can be out by minutes at times. Even if you set the frequency to once per hour (registry setting) you are lucky to get better than 1 second.

NTP on a WAN typically give you accuracies of 10ms or better (so around 100 times improvement)

NTP on a LAN with decent time servers (e.g. machine with very good hardware clock or local GPS) gives you accuracies of the order of 0.1ms or better, so around 10k times better.

Often the question programmers should be asking is why am I using time, and is that actually the best way of determining order and sequence?

0
1
Paul Crawford
Silver badge

Re: Obviously the sensible solution would be...

No, the UNIX time_t follows UTC and so is not able to perform correct time duration calculations over the leap-second period as there are discontinuities at those points.

3
0
Paul Crawford
Silver badge

Real "Root of the problem"

A more general problem with programmers is they use "clock time" as a substitute for "order of events".

This works well if all events are being recorded with consistent time stamps, say for conditional compilation on a local machine where you can check if the .o file in one location is older then your .c file in another, or when you pressed the "build" button in the GUI, etc.

Things break due to time faults: such as the same conditional process on a network file system where the time stamp of some files is due to the servers' clock, and others locally are from the client's clock which is different, or the file system's time resolution (e.g. 2 seconds on FAT32 as a worst case) is now greater than the interval between steps, etc.

Then we get in to all sorts of debates abut keeping leap seconds to work around dumb programming. But really what the programmers & software architects should be asking is down to the ACID database situation - how do you guarantee correct order of events in a process if the local clocks are not fully in sync?

1
0
Paul Crawford
Silver badge

Re: Root of the problem

Time-obsessives have two things:

1) Atomic time, which is precise and monotonic (the spherical cow).

2) Human/civil/UTC time that follows the Earth's rotation (upon which our concept of time and units were based). And there are differing degrees of the (look up UT1 & UT2 if you want to know more). This is your real cow, and equivalent choice of Frisian, Aberdeen Angus, etc...

0
0
Paul Crawford
Silver badge

NTP handles leap seconds in the "correct way" as far as it is defined, in that it makes UTC follow its defined values. The problem in the more general sense is you have two concepts of time, you have:

(1) The UTC/Civil definition of days being 24 hours, of 60 minutes of 60 seconds always, along with a formulae for dates that make up the Gregorian calendar (lets keep quiet for now about other calendars).

(2) You also want for various reasons staying in approximate synchronisation with the solar time - i.e. that at, say, 0 longitude the 12:00 local is, on a yearly average, the time the sun is overhead.

Now the second is define these days with extreme precision, but the Earth's rotation is variable and, worst of all, not quite predictable due to stuff moving around inside as well as tidal friction, etc.

The correct way to do all of this, of course, already is known and implemented in some systems that really matter, and that is to have you clock keeping "atomic" time that has no discontinuities, and then to apply a leap-second correction to get "civil" time. See:

http://en.wikipedia.org/wiki/International_Atomic_Time

That is exactly how the GPS satellites do it, and their own GPS time was in sync with UTC in 1980 and is now 16 seconds different.

What is a problem for more software when it comes down to second "accuracy" is the most computer libraries are based on (1) and:

a) They don't quite know how to deal with the 59-second or 61-second minutes that happen when you get a second removed/added.

b) Also to perform the conversion to/from atomic time you need the offset values and as they have to be updated as the Earth's motion is observed, so it is hard to do correctly on anything stand-alone. You then would need internet access and the security problem that brings, and the grief caused when in a few years some web developer stupidly change URLs of important data for no obvious reason when tarting up sites.

Finally, there is a project (which I have not checked/tried yet) to give you a local NTP "fluid time Wednesday" effect here:

https://support.ntp.org/bin/view/Dev/LeapSecondTest

0
0
Paul Crawford
Silver badge

NTP handles this correctly.

Most OS can handle it correctly as well, but from time to time (groan!) someone changes the time-handling code and then fails to test it on leap seconds and you get problems, like the Linux glitch a year or so ago.

You can get GPS simulators and create your own NTP servers that push out this sort of thing for testing, so its quite possible to do, but people don't. And the results are predictable. Of course, you also get programmers doing dumb thing to implement delays, etc, rather than using the proper OS calls, leading to more bugs.

I personally think they should step the second backwards and forwards every Wed for a couple of months - then we would get OS and application software tested and fixed. One can hope they would fix it...

6
0

Mozilla doubles bug bounties to $10k

Paul Crawford
Silver badge

Maybe if they spent less time in pointless GUI dicking around and fixed bugs they would have less need for this?

And what about non-security bugs, like the defaulting to US Legal paper for printing on every update on the *NIX version that has been open for more than a decade?

2
0

Google's super-AI boffin, Bilderberg nobs, and a secret Austrian confab

Paul Crawford
Silver badge

Re: lots of talking to do

As for the bundestag pc network being scrapped and replaced, maybe that is a final way to get rid of XP and force all users on to something more secure, reliable, and supported?

Lets just hope they check the PC suppliers are not using NSA-infected HDD should they decide to keep with Windows known boot loader...

0
0
Paul Crawford
Silver badge

Re: "c language, the most important enabler of cyber war"

Fail!

The correct statement is "stopping the use of cheap crap programmers who don't understand what they are doing and fail to apply best practice when coding and the multitude of tools that already exist to help"

If you are really looking for a scape-goat for info sec woes, how about Office and VB plugins?

0
0

ISIS command post obliterated after 'moron' jihadi snaps a selfie, says US Air Force

Paul Crawford
Silver badge
Paris Hilton

Re: Air Force General Hawk Carlisle

I wondered the same! OK, not quite as sinister as General Jack D Ripper, but a triumph of naming nevertheless.

Paris, as she could have my precious bodily fluids...

3
0

Everything old is new again: Man mugged in New York, only this time for his Bitcoins

Paul Crawford
Silver badge

Why?

I don't want to blame the victim for being robbed, as that is a crime no matter where it takes place. But I do wonder why would you turn up in person to pay by bitcoin?

As far as I can see its main reason for existence is for electronic payment, and more so for use outside of the US-controlled credit card and Paypal corporations where it is hard to trace and hard to stop (e.g. wikileaks accounts being blocked by US gov pressure). Of course the "hard to trace" aspect appeals to criminals just like wads of cash, so maybe they pushed him for a bitcoin transaction knowing that.

7
0

Star Trek's Lt Uhura hospitalised in LA after stroke

Paul Crawford
Silver badge

I wish her all the best for a speedy recovery.

I still find it hard to believe that in my own lifetime that kiss was such a big deal, but then looking around the world today at some of the morons out there it is less of a surprise.

28
0

Ruskies behind German govt cyber attack — report

Paul Crawford
Silver badge

Re: And yet the EU continues...

OK, you don't like sanctions.

Now how do you propose the West can impact on "the criminal government staff" without starting a war?

0
0

We stand on the brink of global cyber war, warns encryption guru

Paul Crawford
Silver badge

Re: Warfare via computer networks isn't soft power.

Sure, eventually something important will be hacked and people will die and, maybe then, will organisations will finally wake up and stop putting critical stuff on the internet at all.

Hell if you had to audit your whole system and get risk-based insurance for such design-decisions we would hardly see any such risk, as then systems would be properly secured and so take physical access as well as cyber skills to damage.

Just now there is a sporting chance of a few script kiddies taking a pop at critical stuff because a many years old and unpatched (or unpatchable) system is now exposed to "save money" and "improve productivity" in an important infrastructure or plant somewhere.

3
0

Compromised SSH keys used to access Spotify, UK Govt GitHub repos

Paul Crawford
Silver badge

Re: Why ?

"If you yourself are not clever enough to use github in a secure manner"

So Sir, were you clever enough to notice the bad random number generator in Debian's OpenSSL? Did you in fact report it and help fix things?

If not then STFU and get on with something more useful. The call is not for GitHub to hand-hold users at any point, but to notice said compromised keys and warn users about them. Those keys, most likely, were generated years ago and then kept even when the user's OS was updated to something that has that bug fixed and they probably forgot which version of number generator was used to generate them originally.

6
0

Secure web? That'll cost you, thanks to Mozilla's HTTPS plan

Paul Crawford
Silver badge

"DHCP exchange) from being poisoned by a man in the middle?"

DHCP exchance is on my LAN and so under my own control. Not perfectly immune to attacks as they could p0wn the router, etc, but far far harder to do than out on the WAN.

0
0
Paul Crawford
Silver badge

"What does DHCP have to do with HTTP/HTTPS?"

Don't certificates sign for a given IP address? What if that changes?

"Also, you do a dis-service to systems admins/engineers by repeatedly writing that only developers can manage redirects and handling the nuances of making SSL work"

OK so who patches old expensive colour A3 laser printers to add SSL support? Have you seen much sign of software patching/upgrades even for new/recent printers?

2
2
Paul Crawford
Silver badge

Re: If selling certificates becomes like selling domains...

"they'll still prevent man-in-the-middle alteration"

If world & dog just ignores dodgy or revoked certs (like Google do in Chrome) when so many stink and/or change for no good reason, then what is to stop an ISP doing a proxy with some self-signed cert for everywhere?

0
0
Paul Crawford
Silver badge

Re: ^ This ^

Yes, like the shitty business of defaulting to US Legal paper size on every update on *NIX platforms. That bug has also been open for more than a decade. Maybe a small amount of time fixing stuff would bring more happiness to users than pointless dicking around with GUIs and pushing policies out that break things?

9
0
Paul Crawford
Silver badge

Vaccines have considerably less of a down-side that not being able to access old sites and local printers, router config pages, etc.

4
0
Paul Crawford
Silver badge

Re: Destroying Firefox from within

Forgot to mention network printers - how many of them support https? And how well is that going to work with DHCP?

7
1
Paul Crawford
Silver badge
Facepalm

Re: Destroying Firefox from within

Indeed, they tried to with pointless GUI changes and "lets copy Chrome" approach to hide and obscure menus and other featured of interest.

Why stop there? Why not also break access to your local router, home NAS, and lots of old but interesting sites which the owners of have died, moved on, or otherwise given up maintenance on?

Really, some developers seem to spend their day in a jerk-circle reassuring each other that they are right and the rest of the world (i.e. the users of their product) are fools for not agreeing.

21
0

Fanbois designing Windows 10 – where's it going to end?

Paul Crawford
Silver badge

Democracy?

"but like real democracy, it only works if every person has one vote"

That aspect appeals to the idea of fairness - that the robber barons, etc, don't get to dictate over the views of the proletariat by virtue of money or connections.

But the problem with democracy in practice is the same as MS has, the voters are often ill-informed or idiots, and the choices they have have been pre-selected by a few with vested interests.

However, it should also be stressed that GUI stupidity is not a MS exclusive, as we see various flavours of Linux desktops, browsers like Chrome and Firefox, and the anointed "master" of GUI design Apple all pushing unwanted and/or ugly and/or irritating changes our on long suffering users.

Really what a lot of people don't want is just that - change for no good reason (as they see it). Would I be so pissed off with the Office ribbon if there was a small config option to put the menus back as they were? No. Same for changes Gnome has made, etc.

19
0

Germany licks lips, eyes new data gulp with revised retention law

Paul Crawford
Silver badge

Re: Report contains several factual errors

You seem to have ignored the part that it will be the service operators who hold the data, not the police. so they have to make a request, with justification I hope, as they currently do for phone billing records.

Also it might not be a case of you being a criminal, you might also be the victim and said short-term metadata might be of help.

0
2
Paul Crawford
Silver badge

Re: Report contains several factual errors

I doubt very much that data retention has helped stop terrorist attacks, etc, in spite of all that Gov around the world claim as the justification.

However, I can see some use for normal policing of being able to access recent data (maybe several weeks as the Germans appear to be proposing). For example if someone goes missing in suspicious circumstance to find the last place their mobile was seen at, etc, or if someone is accused of committing a crime in a given location/time window.

The real issue most folk have about data retention is (a) the time-scale and what long term hoarding that means for digging dirt on those who fall out of favour, and (b) access by world+dog in government on the slightest pretence, and (c) feature-creep when it becomes useful for something else that is profitable, etc.

So personally I don't have a problem of short-term retention of several weeks and all access being by a properly justified court order.

7
1

Fedora 22: Don't be glum about the demise of Yum – this is a welcome update

Paul Crawford
Silver badge
Unhappy

"Nautilus, the default file browser which has about 30 per cent of the features it once had"

And that kind of sums up the whole GNOME 3 experience. In fact it seems to sum up the majority of GUI changes these days, pointless tinkering with eye-candy and the removal of features that some up-their-own-arse developer decided you didn't really need.

33
0

It's not over 'til Saturn's spongy moon sings: Cassini probe set for final Hyperion fly-by

Paul Crawford
Silver badge

Wasp's nest?

Sure its not the Wirrn?

http://en.wikipedia.org/wiki/The_Ark_in_Space

0
0

The rare metals debate: Only trace elements of sanity found

Paul Crawford
Silver badge
Thumb Up

Thanks for an interesting article - certainly I had no idea of the definitions used, and how by-product elements are, by definition, ones without reserves.

24
0

BRAIN STORM: Nine mislaid cerebra found near railway line in New York

Paul Crawford
Silver badge

Re: It wasn't zombies who left them...

I think it's an Igor you are looking for...

(don't worry one will appear behind you as if by magic)

5
0

Yay for Tor! It's given us RANSOMWARE-as-a-service

Paul Crawford
Silver badge
Facepalm

"ransomware...as a Windows screensaver"

Really, are people STILL falling for that one?

6
0

Shuttleworth delivers death blow in Umbongoland dispute

Paul Crawford
Silver badge
Boffin

Re: Umbongoland

Another minor aspect of the Umbongo "soft drink" was it would not ferment.

In spite of claiming to be fruity juice there must have been some non-volatile preservative in there as even boiling it up, then cooling it and adding yeast, etc, failed to produce any viable fermentation.

I'm sure you will understand how important this information is to your whole day...

5
0
Paul Crawford
Silver badge

Out of curiosity (and really not trolling here) can you point to an example of the agreement so other commentards can judge?

7
0

Microsoft to TAKE OUT THE TRASH in the Windows Store

Paul Crawford
Silver badge

Exactly - that is what proper reviews and feedback is for, to let potential buyers know if its any good!

That and a half-decent try before you buy option to let you see if it really does what they claim.

7
0

Windows 10 won't help. The PC biz is doomed, DOOMED, I TELL YOU

Paul Crawford
Silver badge

Re: Does anybody remember

I'm not sure even XP was worth it. I bought w2k and it was pretty good, but then the only noticeable feature it added compared to NT 4 was support for USB stuff, and I turned off the Fischer-Price menus and went with 'classic' which made it more or less the same.

Most folk who need Windows and have an interest are using Win7, which is basically Vista fixed, and only a few with 8.x even though there are underlying OS improvements. But as you say, its boring and nothing an OS does is exciting, more what it doesn't let other do to you that matters...

So most Windows sales will be down to replacing failed/obsolete hardware, and these days its either broken in a year or so due to a fault or works for 5+ years as a decent enough machine (gaming, etc, excepted).

5
0

EU net neutrality could kneecap the Tories' opt-out pr0n filter plans

Paul Crawford
Silver badge

Re: What has Network Neutrality got to do with this

"If one doesn't want it then its a 30 second operation to turn it off. What is the problem ?"

"If one wants it then its a 30 second operation to turn it on. What is the problem ?"

There, fixed it for you.

Or do you really think we should all be treated like morons and/or sheep by the ISPs & gov in order to keep a few frothing idiots in Westminster or on Mumsnet happy?

15
2

Finally! It's the year of Linux on the desktop TITSUP

Paul Crawford
Silver badge

Sad to see any business go under, but we have not used that distro since around 2009. I quite liked the 2007 era desktop and it worked quite well and also I bought a bootable USB with it pre-installed which was quite a novelty then.

But they messed up and we moved to Ubuntu. Who also messed up post 10-12-ish, but they seem to be the best-ish around for general use and sadly most others are also going down the "make it dumber and uses systemd" path.

2
0

There's a Moose loose aboot this hoose: Linux worm hijacks Twitter feeds for spam slinging

Paul Crawford
Silver badge

Re: Except...

You are partially right, in that its hard to get anyone to understand stuff like cryptography in the first place, let alone to apply effort in to making it better by review and bug-fixing.

But you are also wrong in two very important ways:

Firstly having something open makes it a bigger risk to back-door, and certainly makes it very hard for anyone to be offering it and not to have the come-back if they were the one putting in back-doors or spyware. With COTS stuff you have to take it on trust, which is low these days, or to try and intercept all communications with wireshark or similar and to decode/decrypt them to find out what is happening. Are people willing to do that any more common that those willing to review open source code?

Secondly the idea that open source is not needed any more is utterly wrong, as today perhaps more than ever, we are seeing a "walled garden" approach to machines where some company decides what you can do with your own hardware, and what others are allowed to offer you. Similarly having data open only works if (a) the format is published AND correct, and (b) you have access to alternative software to make use of it. Without FOSS options there would be no pressure on the likes of MS, etc, to even pretend to offer open standards and protocols.

Remember how it took an EU anti-trust suite to get the SMB/CIFS protocol opened? Or how Oracle tried to sue Google on the basis that APIs should be copyright and thus no one can make interoperable code without a license?

17
1

German watchdog rips off Facebook's thumbs after online fracas

Paul Crawford
Silver badge

Re: Twitter et al should be covered by this too

We see more and more reasons to use a Tor-like system for everyday browsing, and it has nothing to do with legality or otherwise, and all about basic privacy. No need for the multi-hop effort of Tor, just a system (even browser plug-in) that randomly redirects your request to others in the same country as the target web site (so it can be presumed the content is legal there) for the short term path. That and keeping each tab private and deleting automatically on closing so cookies, etc, are not shared between sessions or sites you open separately. And also makes everyone's browser look like one of a very small set to render fingerprinting pretty useless.

A shame that web browsers are not really interested, instead keep pissing away effort on ever more useless GUIs and advertising revenue options.

8
1

Skype hauled into court after refusing to hand call records to cops

Paul Crawford
Silver badge

Courts should be involved

MS are quite right here. There should be a proper and judicially supervised system for accessing any data, and some process by which it is reported beyond the investigation.

Sure, MS and similar should freeze any records from deletion immediately on any reasonable police request, but to actually get the data there ought to be a proper system of oversight and one that will protect journalists, whistle-blowers, etc, form abuse by those in power.

18
4

Geofencing: The ultra-low power frontier for the Internet of Things

Paul Crawford
Silver badge

Re: Lawn mowers & logo

Same for unsecured 3D printers. Its all about the willy...

3
0

2.8 million victims squared up by malicious Minecraft apps

Paul Crawford
Silver badge

Re: In two minds here...

Better solution is for the OS to give the user the choice of permissions to allow, with default as more or less none. Then make the app developers justify each and every one of them before they get ticked.

Sure it will piss off a lot of 'free' apps where the business case is about whoring you from advertiser to scam artist, but maybe the long-term result would be a lot better.

8
0

SLOPPY STELLAR CANNIBAL star is a NASTY 1, astroboffins squeal

Paul Crawford
Silver badge

Relativity

"catching binary stars in this short-lived phase"

That is short-lived by stellar life times, still long as measured by our humble time upon this Earth.

0
0

Windows Server 2003 end of support draws ever closer

Paul Crawford
Silver badge
Trollface

"what did you do during Windows Server 2003 end of support?"

Opened a nice bottle of wine, sat back in my chair, and laughed.

Seriously, I have enough problems of my own without worrying about other's...

0
0

New relay selection fix for Tor to spoil spooks' fun (eventually)

Paul Crawford
Silver badge

Re: Hmmm

The gov paper is surprisingly sane and well thought out. Basically it says trying to ban stuff like Tor is a stupid plan as its difficult to do and would make the jobs of police, etc, harder in practice.

It remains to be seen if technically stupid and knee-jerking politicians listen to those who know something about the subject though...

3
1

SAVE THE PLANKTON: So much more than whale food

Paul Crawford
Silver badge

Is it not closer to tree cum then?

0
0

High-level, state-sponsored Naikon hackers exposed

Paul Crawford
Silver badge

Re: an executable file with a double extension.

Are systems still not filtering this stupid (but obviously effective) trick some 20 years after the dumbness was first noticed?

Strewth, as our antipodean cousins might say.

2
0

Microsoft: Free Windows 10 for THIEVES and PIRATES? They can GET STUFFED

Paul Crawford
Silver badge

Re: Where's my checksum?

Come now, what a silly suggestion!

If MS were to offer a correct list of file sizes and SAH256 checksums for all genuine files where would you get that joy of AV software borking your machine by misidentifying MS's own software?

0
2

Forums