* Posts by Paul Crawford

2096 posts • joined 15 Mar 2007

FBI alert: Get these motherf'king hackers off this motherf'king plane

Paul Crawford
Silver badge

Really? I thought Boing, etc, assured us all that there is NO POSSIBILITY of in-flight systems being connected to the critical aircraft systems and thus leading to vulnerabilities.

Are you telling me they lied about this? When are Boing, Airbus, etx, going to be arrested and prosecuted for recklessly exposing critical systems to danger?

5
1

London man arrested over $40 MILLION HFT flash crash allegations

Paul Crawford
Silver badge

Re: meh

"HFT isn't the issue"

Really? Being fooled by proposed sales that don't ever take pace, and you say that is not a fundamental failure?

What he may (or may not) have done may be dubious, but the real issue is just how much those automated traders were taken in by momentary data of sales that did not complete. You would have thought after one or two incidents they would have learned, but no, it seems to have been profit for years if the allegations are true...

8
1

White House cyber-general says US must be able to cyber-nuke the worst of the cyber-worst

Paul Crawford
Silver badge

+1 for that.

Really, the note about UL is the only sane thing but it misses the point - there is a need for standards of software/systems not being shitty that are legally enforced. If your kit fails the UL standards then AFIK you can't sell it in the USA/Canada and if you do you can be prosecuted.

We need something similar for software: a requirement that best-practice (e.g. MISRA coding standards, etc) is used when writing it and the security aspect is properly considered, and finally that timely bug-fixes are provided for free (i.e. covered by the intial sales cost) and are practical to install for 5 years or so after the product family is last sold. Some legal stick is also needed, e.g. making the supplier liable for the consequences if not patched effectively after say 30 days of a vulnerability being reported, and obstructing security testing/auditing of your products to be illegal.

Yes, I know that costs money to do, but if it is a requirement on ALL businesses then doing it right is no longer a cost-penalty compared to the shitty state we currently see.

3
0

VAMPIRE SQUID romps stun scientists: Unique sex lives revealed

Paul Crawford
Silver badge

Motion in the ocean

But does it make for a small craft advisory?

1
0

High on bath salts, alleged Norse god attempts tree love

Paul Crawford
Silver badge

Oh once he has come down from the drugs he will be discharged

12
0

iPhone vs. Galaxy fight hospitalises two after beer bottle stabbing

Paul Crawford
Silver badge

Re: Wrong conclusion to the report

The funny thing is stupidity seems to increase quickly with alcohol consumption.

2
0

D-Link router patch creates NEW SOHOpeless vuln

Paul Crawford
Silver badge

The whole printf() family should always be regarded as suspect because (1) a lot of compilers can type-check the format string against the variable argument list, and (2) you don't always know if the destination string(s) are long enough to hold the result(s).

These days gcc can format-check, and most decent static analysis tools also do this, but I have seen too many projects with shed-loads of compilation warnings that were obviously ignored. And most modern libraries have 'nprintf' variants where the target buffer can have its size passed in to stop buffer overruns.

As with a lot of these problems, the solutions are already out there if only they would use them :(

2
0

In some ways, dating apps are the anti-internet

Paul Crawford
Silver badge

What is worse is that some folk do seem to succeed by using the “Hi, wanna jiggy?” approach, and that leads to the tragic reality of Darwinism:

"Survival of the fittest" is often misunderstood to be about strength, cunning, health, etc. It is not, it is about the ability to out-breed your opponents by any means.

8
0

Why are enterprises being irresistibly drawn towards SSDs?

Paul Crawford
Silver badge

@Rebecca M

The majority of HDD errors are indeed detected by the controller and/or reported by the disk itself when a read request cannot be honoured. That is what classical RAID protects against.

With a periodic "scrub", where the system attempts to real all HDD sectors so errors are seen and re-written to hopefully fix the problem via sector reallocation, you get a good chance of not ever suffering from known RAID failure under normal conditions (data read, or more commonly when a HDD is replaced and a rebuild is needed).

But today where you might have massive data sets you can't ignore the problems of "silent errors" where the HDD's correction/detection system, or any one of a number of other sub-systems, has mess with your data. You might want to read this paper on the subject:

http://research.cs.wisc.edu/wind/Publications/zfs-corruption-fast10.pdf

(There is another from CERN but I don't have the link to hand)

2
0
Paul Crawford
Silver badge

You have to start with the assumption that if a storage device fails, you won't ever/economically get any/trusworthy data back off it.

From that starting point, you ought to have enough paranoia to assume the worst, so you begin with the question of what happens when (not if) your device fails/corrupts?

RAID save you down-time, both use (machine keeps working) and admin (no need to restore your backup) but RAID!=Backup as we are always told.

Also most RAID & file systems don't have integrity checks so you can have data corruption and not know until something starts playing up. Once you realise this and the vast amount of data you may need to store (comparable to the 10^14 bits of HDD error rate) you might want that, so you then invest in ECC memory and a file system like ZFS or GPFS that has checks. They also support snapshots, a vastly under-rated feature that can save a lot of hassle in restoring a just deleted/modified file, or simplifying a consistent backup point-in-time.

And there there is your backup, which ought to be in another building and not on-line as a mounted file system or you might get randsomeware screwed (something that snapshots can also help with, if you notice soon enough).

Really the arguments for SSD vs HDD that matter are cost/GB and IOPS, and smarter systems will use both to give to lots of storage at good price and responsiveness.

5
0

This open-source personal crypto-key vault wants two things: To make the web safer ... and your donations

Paul Crawford
Silver badge

I suspect such side-channel attacks are only a real problem for remote equipment, or DRM applications where the end user/customer/dupe also "owns" the hardware that is intended to oppress them.

If you are enough of an intelligence agency target to have probes attached to hardware in your own business or home, I doubt the finer points of hardware design will be your biggest problem...

2
0

Life after Nokia: Microsoft Lumia 640 budget WinPho blower

Paul Crawford
Silver badge

GUI madness

"apparently taking away a phone UI people love and replacing it with a desktop UI people don’t is regarded by the Head Shed at Redmond as some kind of strategic masterstroke"

Redmond is not the sole practitioner of this dumb practice. You can take most recent GUI designs for phone and desktop and look at the respective replacements offered by MS, Apple and the majority of Linux distros, and you are left wondering: WTF do GUI designers aim to do? So often the "new" approach is dumber, less usable and hides the stuff that made folk like something in the first place.

Bah, a pox on them all!

21
1

Welcome to the FUTURE: Maine cops pay Bitcoin ransom to end office hostage drama

Paul Crawford
Silver badge

Re: How hard can it be?

Firstly it was most likely a Windows system.

Secondly while you thought you were being smart, you just gave yourself a false sense of security - what about /tmp /var/tmp (probable some others under /var as well), and /run/shm which are by default world-writeable and support execution?

0
0

Bored with Blighty? Relocation lessons for the data centre jetset

Paul Crawford
Silver badge

Re: Depresses me that consideration for UK areas...

Scotland had/has some collocation of hydroelectric generation and high-consumption industries like aluminium smelting. I'm pretty sure you would get a good deal on power and no cooling problems in those locations. Getting top-notch connectivity might be an issue, but I guess it depends on what your budget is and what the ratio of data to processing load in the centre is.

However, understanding the locals can be a challenge, even for those born in Scotland but 50 miles away...

1
0

IBM tightens Passport Advantage licensing terms

Paul Crawford
Silver badge

GPL as "complex" really?

Its quite simple really: I give you my code with the condition that if you modify/improve it for distribution, you make said changes available to others. That way we all benefit.

2
1
Paul Crawford
Silver badge
Linux

More and more it seems the incentive to keep away from any of the big software vendors is huge.

This is not a rant against paying for software/services, but at the complexity and opacity of the terms of said licenses.

Tux - a friendlier license ->

2
0

Astronomers battle plague of BLADE-WIELDING ROBOTS

Paul Crawford
Silver badge

Why don't these companies choose any one of the bands already free for use, rather than pissing on other's established usage and then asking for rules to be changed due to their own incompetence?

111
0

UK.gov: We want Britannia's mobe-enabled cars to rule the roads

Paul Crawford
Silver badge

Autonomous?

Really, is it wise to depend on communications for an "autonomous" car?

I thought the whole point is they can deal with current real-life traffic and the millions of human-driven vehicles that will still be in use for decades after the first self-driving cars are able to be deployed.

So while data links are nice and helpful to coordinate avoiding traffic jams and to warn about up and coming road conditions, accidents, etc, you still have to be be able to deal with that if you are the first car there thus operation without radio links should be a starting point in certifying a design.

18
0

Al Franken to FBI: We need MORE revenge smut arrests

Paul Crawford
Silver badge

@h3

Yes it is simple for some old bugger like myself to see how foolish some young person is to allow a photograph or video to be taken that might appear later. Also I can point out the hypocrisy and deceit of a society that will judge you by the odd image depicting you without the requisite amount of clothing.

But that is a reflection of my, and other's, own weakness and prejudice.

Though I suspect the whole 'revenge porn' law and action is more about self-serving wankers in power, I do feel deep down that we, the mass of humanity, need to take a look at ourselves and to realise that a photo or video of some consensual activity should NEVER be seen as a problem for those taking part. Only for those who object without any experience or justification (probably the psychological reason for such a 'problem' in the first place).

8
0

Project Spartan: We get our claws on Microsoft's browser for Windows 10

Paul Crawford
Silver badge

Re: How...

My thought exactly, if I want "full screen and no controls" I can use F11

6
0
Paul Crawford
Silver badge

Nope - creeps me out too...

7
1

Put those smartphones away: Google adds anti-copying measures to Drive for Work

Paul Crawford
Silver badge

Re: The more I think about the security of Google Cloud.

You seem to be missing the obvious - you are then sharing EVERYTHING with Google and therefore are under Uncle Sam's laws.

Oh yes, and if you get in to any sort of contract or IP/DMCA-style dispute they can make your business vanish in a stroke.

9
0

Microsoft update mayhem delays German basketball game, costs team dear

Paul Crawford
Silver badge

Re: Two words...

"Few options but to kill the power and corrupt the SD card"

Can't you SSH in and shutdown from there?

2
1
Paul Crawford
Silver badge

Re: @NumptyScrub

Firefox warns you it needs restarted, so unless you really hold the browser open for days on end (just how much RAM do you have?) that is dealt with.

Also any new instance of a call (e.g. starting flash for a new video) gets the new version, so unless you are watching the same compromised video for weeks, same applies.

Its not perfect, but it seems a better approach than Windows where you cant replace an open file, so all sorts of stuff has to be done on shutdown/restart.

7
2
Paul Crawford
Silver badge

Re: Linux

"get stuck waiting for a disk check"

That is not too long if you use ext4 (default these days). E.g. my PCs typically take 10-20 seconds to check and that is with spinning rust HDD filled with 100+GB of crap I could probably safely delete.

Still, if you ever had to wait for the old non-journalled systems like ext2 to fsck then you have reason to be concerned.

2
0
Paul Crawford
Silver badge

Re: Linux

"With Linux 4.x you will not have to reboot at all soon for ANY updates..."

For the kernel maybe, but what about the cluster-fsck that is systemd?

10
0
Paul Crawford
Silver badge

Re: Clearly it's a case of...

Oh I don't know - being unable to use your PC for 17 minutes due to updates is a serious flaw in the OS design.

While not really wanting to start a pointless OS willy-waving competition, I still ought to point out that other OS can updated without needing you to stop and more critically, for updates that actually need a reboot such as a new kernel, its just the usual 30 seconds or so to restart.

All possible because the new files were already in-place earlier as *NIX style file systems allow an atomic in-place replacement of files, but still allows an open file handle to continue using the previous on-disk data until the last handle is closed (i.e. on shut-down for the kernel or similar).

18
9

Think server vulns are the IT department's problem? Think again

Paul Crawford
Silver badge

Re: Attack surface

While you might think that is a good idea, its not really as then your IT folk are unlikely to be good at all of the systems.

Sure, chose the less-attacked OS if you can (i.e. you can get matching applications that work for you) but you really need to concentrate on:

1) Having someone (internal or contractor) who is good at their job and looks after things. For example, having someone who really knows Windows and is allowed to lock things down will be better than a monkey who thinks they know Linux, even if the attack statistics point the other way.

2) Keeping stuff patched as far as possible.

3) Having an isolated backup that you KNOW you can recover when its needed (i.e. something that randsomware can't also encrypt because its not visible as a file system to normal computers).

4) Training staff not to do dumb things and, more importantly, if they do make a mistake or suspect something odd is happening to get it dealt with immediately and not pretend it never happened.

My 2p worth.

2
0

Apple's 13-incher will STILL cost you a bomb: MacBook Air 2015

Paul Crawford
Silver badge

Re: It's not expensive

Have you noticed that site, like most, tells you bugger-all about the screen resolution unless you click on technical details for each one in turn?

WTF is the reason why screen resolution is not a searchable/choice option for selection?

3
0
Paul Crawford
Silver badge

I don't want "retina" resolution, mostly because I'm too old to be able to view things at ~30cm or less like the kids of today seem to do :(

What I do want to see is more vertical scale, since 1080 lines is OK for a 15" screen and bloody well ought to be the norm for 14"+ anyway. Apple are one of the few how offer 16:10 aspect which is better for practically everything but DVD viewing than 16:9

But 1080 "HD" becomes pants when you get to 24" or more. Really, I want a 42" 4k monitor at an affordable price, but that is not going to be a portable set-up no matter what...

1
0

Cross-dressing blokes storm NSA HQ: One shot dead, one hurt

Paul Crawford
Silver badge

Re:@Tapeador

Well here in the UK we have a little short of 3000 deaths per year due to cars & road transport, should we all surrender the freedom and opportunity that road transport has given us for the last century us for that?

27
1

Short circuit at Large Hadron Collider slows return to matter-mauling

Paul Crawford
Silver badge

Re: At last!

11, 12 even 13...

https://xkcd.com/670/

1
0
Paul Crawford
Silver badge

At last!

Two beams at 6.5TeV? So finally they can turn it up to 11?

(Alas! No Spinal Tap icon to go with this)

1
0

Belgium to the rescue as UK consumers freeze after BST blunder

Paul Crawford
Silver badge

Re: Timestamps @Frumious Bandersnatch

I think you are talking about changing the underlying system clock (i.e. UTC time).

That is normally slewed by NTP unless its a leap second (where the kernel gets that and ought to handle it properly for event timers, etc) or if the time error is too big to be done in a sensible window (typically at system boot where you have no idea if the clock is OK).

The "jump" I am referring to is in local time when the daylight saving hour goes in/out of effect. I don't know of any system that would slew the DST value, but its not an impossible thing to consider.

0
0
Paul Crawford
Silver badge

Re: Why...

Why - cheap (usually) code monkeys not using/understanding the details of time/time-libraries, and NOT BLOODY TESTING them!

3
0
Paul Crawford
Silver badge

Re: Timestamps

The standard *NIX approach is to do all your data storage and maths in linear UTC and only for humans do you display it in a readable form and at that point you allow for the local time-zone & language. Its the sensible way.

The complication arises when you have a time-of-day event that some human wants at a set local time and you need special logic if that is in the hour where the "clocks change" as you could get either 2 or 0[*] time-crossing occurrences depending on the direction of the change. But that is independent of which zone your in, other than it is a zone that has "daylight saving" with is practically all significantly northern and southern latitudes.

It makes bugger-all difference to the amount of daylight of course, but humans seem unable to cope in modern times with doing things that are not a set times.

* - of course when local time jumps from 1am to 2am you cross all times in between, but how do you handle that? You could trigger all events set for 1-2 simultaneously, but what if the person needed A to be 5 mins before B, and both 10 min before C and all in that 1 hour window?

2
0

Easy come, easy go: Euro astroboffins blast brace of Galileo sats INTO SPAAACE

Paul Crawford
Silver badge

Re: free

While I was quite happy to condemn the original politics of Galileo where the EU weasels, sorry ministers, said it would all be paid by the commercial use, we all knew that was a lie. With GPS being free and mostly available courtesy of Uncle Sam, almost no one will pay much for an alternative.

But I fully support the EU doing Galileo for the following reasons:

1) Developing the technology & infrastructure in the EU to do it.

2) Having an alternative to GPS in case Uncle Sam throws a hissy-fit (or a budget stale-mate turns things off).

3) Improving the overall reliability and accuracy for everyone as they then have a choice of GPS. GLONASS, BeiDou, Galelio and any other regional or LF options.

While it may represent several billion Euros, per person in the EU it is small change and we have already seen the UK gov piss away similar sums on failed IT projects over the last decade.

So cheap for what we get in my view.

2
0
Paul Crawford
Silver badge

I'm sure its just commercial considerations. Just now, in spite of the on going politics and strife over the Ukraine, etc, the EU and Russia do business and this is part of it. Maybe future launches will be more birds in fewer Ariane rockets, most certainly if Russia causes trouble in this area, but for now I guess those in engineering and contract roles just get on with the best deal for the current time & place.

1
0

Building a better society from the Czechs' version of Meccano

Paul Crawford
Silver badge

Re: I remember that medicated Izal toilet paper

You have to add those moulded plastic seats that made everyone's arse sweaty and uncomfortable even up in less-than-tropical Scotland.

3
0

'If people can encrypt their cell phones, what's stopping them encrypting their PCs?'

Paul Crawford
Silver badge

Silly - that is what post-it notes are for! Put one next to your monitor and you wont have any problems with forgetting your password.

19
0

Dot-sucks sucks, say lawyers: ICANN urged to kill 'shakedown' now

Paul Crawford
Silver badge

In related news, bears are catholic and the pope...

5
0

Spookception: US spied on Israel spying on US-Iran nuke talks

Paul Crawford
Silver badge

France?

"...biggest threats outside of Russia, China and France."

When and how did France become a major threat to the USA?

Did they threaten to take away their French fries? Shrug and set about cooking good food in a sophisticated plot to topple McDonalds?

3
1

BT Home Hub SIP backdoor blunder blamed for VoIP fraud

Paul Crawford
Silver badge

I would say this is completely BT's fault, after all it matters not if the end user is business or consumer, the kit they supplied LIED to the admin about the firewall being on, and it LIED about UPnP being off.

More over, this is a known vulnerability that BT has done bugger-all about because it might add to their support costs.

25
3

Microsoft enlists web security pariah Adobe to help build Internet Explorer-killer Spartan

Paul Crawford
Silver badge

Re: So the Spartans have invited the Trojans around to advise on the decor?

Great title, if I could give you 300 up-votes I would!

4
0

Make up your mind: Microsoft puts a bullet in Internet Explorer after all

Paul Crawford
Silver badge

Re: @Ian Easson

"You may be, but Microsoft cannot afford to be as a corporation."

So what if MS decides to ditch IE and drop support for all legacy systems, maybe with patching stopped in 2-3 years? Those enterprise customers have no where to go, they will simply have to update and move on to a future without IE's awful stuff.

What alternatives do they have? They can't realistically go on with old OS/browser without MS providing security patches, so they simply have to either suck up MS' latest offerings, maybe pay a fortune for post-end-of-life support, or go elsewhere.

Where is the 'elsewhere' for them to go? Apple has abandoned any real interest in anything outside of consumer use. While I am a keen supporter of Linux, I am in no doubt that if you are IE-bound and MS-dependant for all sorts of specialist software then you have more pain in changing OS than fixing IE-related stuff.

So basically MS can do as the please and corporate users of Windows just have to follow because so little software was ever designed to be cross-platform. That my friend is the real "End of Story".

3
6
Paul Crawford
Silver badge

Missed opportunity here

Really, I don't see why MS should keep on IE other than for some locked-in corporate customers. So why don't they make Spartan the only supplied browser for Win10 and sell IE11 as an extra-cost option, maybe chucking it in with the "W10 professional enterprise edition" or whatever?

Those who really, really, must use IE will either stick to Win7 or whatever for the next 5 years, or simply pony up for it on Win10. Their pointy-hired bosses might just see that its time to fix their Intranet once they see an on-going cost for not doing so.

But, and this is the important bit, Joe Public won't consider it as an option as nobody has paid for a browser since, oh yes, IE was bundled for free two decades ago. Thus the few remaining web sites that rely on IE-specific support (and all public-facing gov sites, who are often offenders there) will get endless complaints until they fix their shit and become cross-platform.

11
1

This is what happens when a judge in New York orders an e-hit on a Chinese software biz

Paul Crawford
Silver badge

Similar to slysoft's AnyDVD I guess.

7
0
Paul Crawford
Silver badge

Re: Shameful

It would be funny if the company then sued Visa/Mastercard for blocking payments in China, won, and made them pay out $Million/day or whatever in compensation. Same for Google, Facebook, whatever. See how it feels when another big country extends its laws to the US business.

Make it big enough and the US laws might change. After all, the only thing that seems to matter in US politics or law-making is money.

20
1

Hawk like an Egyptian: Google is HOPPING MAD over fake SSL certs

Paul Crawford
Silver badge

Re: revoked cert

Not if you are using Chrome...

http://www.zdnet.com/article/chrome-does-certificate-revocation-better/

In spite of the apparent positive spin, the fact remains they don't properly check for revocation. The last point in the article basically says they whole system is crap/broken (as we know) but offers no proper solution to the stupidly lax design of certificate issuing where ANY one of nearly a thousand issuers can sign an imposter certificate for any domain.

2
0

Hey, Woz. You've got $150m. You're kicking back in Australia. What's on your mind? Killer AI

Paul Crawford
Silver badge
Terminator

The idea of AI machines destroying vast swaths of humanity is pretty applying.

Until you stop and look at vast swaths of humanity that is...

5
0

Forums