* Posts by Charlie Clark

4206 posts • joined 16 Apr 2007

Kill Flash Now: 78 bugs patched in latest update

Charlie Clark
Silver badge

Re: HTML5 more secure?

flash bugs + browser bugs + web bugs > browser bugs + web bugs

Jury's out on that. Fact is all the browsers are more robust than they used to be and the plugin architecture is on the way out. But the same multimedia that provides such a rich vein of attack vectors for Flash may also turn out to be useful for anything accelerated API that is more than likely being given privileged access to hardware (codecs, openGL, etc.). Quicktime and Windows Media Player in the past have had their own share of bugs and they are still providing part of the services for the new browsers.

My guess is that the new attack toolkits just aren't as sophisticated yet as they are for Flash, et al. True the new browsers have been hardened in a way that Macromedia could never have thought of when it was adding the bells and whistles, but who knows if that'll be enough? The browsers have one thing going for them in that they don't publish implementation APIs so that are freer to replace an implementation if it turns out to be a turkey. This comes at on overhead of having to agree the API with other interested parties and then make it work. Flash is a victim of backwards compatibility. Back in the day that meant it could add features quickly and keep developers happy and it effectively ended the "install a plugin to what this video" malarkey we had for much of the first decade of this millennium.

2
0

Everyone wants a piece of software maker Atlassian's ass

Charlie Clark
Silver badge
Go

Wish them luck

Atlassian's business model is based entirely around the service it provides unlike, say GitHub's, which looks like another massive data grab.

So, as a user of BitBucket for a number of projects I hope that they can continue to provide great service even to us freebooters!

0
0

Apple finally publishes El Capitan Darwin source

Charlie Clark
Silver badge

Re: “Finally,” WTF?

I think you need to ignore the clickbait.

Darwin has always been open source but Apple's release of the source is notoriously haphazard. Yes, people do care about it and Apple gets free peer review: everyone's a winner.

1
0
Charlie Clark
Silver badge

Re: Apple has been involved with 300+ Open Source Projects Since OS X

Maybe but it's contributions back then paled in comparison with others such as IBM and HP.

It curates WebKit and CUPS. However, since establishing the ITunes walled garden, the company's enthusiasm for interoperability in all things web has become remarkably tepid. Leaving mainly CUPS as an example of a company that takes open source seriously. Though I suspect we may see some contributions to LibreSSL, assuming this has been adopted as the replacement for OpenSSL in El Capitan.

1
1
Charlie Clark
Silver badge

Re: Job's the marconi of his day!!

The GPL may not be closed but it certainly is restrictive. BSD licence is attribution and caveat emptor only.

YMMV

7
0

Like a version? JDK 9 will point out its own flaws the very first time

Charlie Clark
Silver badge

Re: Why?

Does anyone else do version numbering like this?

Yes, it's also known as semantic versioning. You also see it with lots of open source stuff including Firefox and Chrome

With y as the variable:

x.x.y updates should be drop in for existing systems

x.y.x may include new features but shouldn't break compatibility

y.x.x can be expected to include API changes

In reality you'll often find overlap between the latter two as "minor" changes develop feature creep. Switching to time-based releases is the best antidote there.

You also occasionally see suffixes to the patch version: _1 on MacPorts for the change to a port where nothing upstream has changed. You will also see x.x.x.a stuff à la openssl but that is generally frowned about as semantically vague.

0
0

Donald Trump wants Bill Gates to 'close the Internet', Jeff Bezos to pay tax

Charlie Clark
Silver badge
FAIL

Quoting Twitter does not an article make

Has El Reg cut a deal with (f)ailing social media company Twitter?

Bolding the tweets and giving and aligning them in the centre does not do much for readability. Not that that really matters that much given their content. It reminds of junior school reporting in front the teacher: "but he said, but she said…"

Trump is spouting some fairly stupid stuff to keep himself in the news. That there may be method in the madness is worth considering. See Scott Adams light-hearted articles.

6
0
Charlie Clark
Silver badge
Thumb Up

Wasn't the same said about Ronald Reagan?

But who'll be around to write the songs?

I think Trump is following Oscar Wilde's dictum: "There is only one thing worse than being talked about and that is not being talked about".

8
0

Pirate Bay domain suspended thanks to controversial verification system

Charlie Clark
Silver badge

Demarcation?

Whois system that helps criminals to hide their identities when they register domain names.

Hang on. I thought helping criminals (and others) hide their identities was the entire point of the State of Delaware?

0
0

BOFH: Taking a spin in a decommissioned racer? On your own grill cam be it

Charlie Clark
Silver badge

What? You mean like the doughnuts the boss has just ordered for a board meeting?

0
0
Charlie Clark
Silver badge

I like the idea of luring the security team in with pizza as bait.

7
0

Mozilla bins 'Tiles' ads plan in Firefox

Charlie Clark
Silver badge

Re: The money...

So, $200M/100000 equates to at least 2000 programmers or equivalent jobs in the development team

Not really. Employee costs are, dependent upon country, twice their nominal salary due to contributions to healthcare, pensions, social security, etc. Buildings and capital expenditure will also be not negligible.

I'm not suggesting that Mozilla doesn't have a bloated development budget: things like Firefox OS will certainly have sucked up all kinds of resources. But accounting for these things is not as we sometimes think.

1
0
Charlie Clark
Silver badge

"focus on content discovery"

Oh, like Opera is trying with the pointless "Discover" feature. Like Taboola but built into the browser? Why not just go the whole hog? But then just concentrate on salacious, celebrity clickbait.

0
0

Windows Phone won't ever succeed, says IDC

Charlie Clark
Silver badge

Always was wondering why they did not ditch ARM altogether and went Intel all the way

Because Intel couldn't provide chips for the power envelope at the time. Now that they sort of can the Intel chips still cost more than ARM. Difficult to get / keep the OEM market going under those conditions – as Intel has repeatedly demonstrated – and that this the stated aim. The assemblies in Shenzhen et al. are built entirely around ARM SoCs.

4
0

OopSSL: Pushme-Pullyou for OpenSSL patches

Charlie Clark
Silver badge
Thumb Down

Re: Point gun at toes, pull trigger

Guess what? Nobody wants to run the risk of their strategic selection being suddenly obsolete overnight, courtesy of rabid, stick-up-bum arsehattery

Yes, because Microsoft never pull patches after release either.

Sys admins should be able to live with any library that has reliable release management. With security stuff you can't necessarily expect just one patch per month. Urgent exploits need urgent patches.

Forking a project might be a means of last resort but sometimes it's the best thing to do. For example, the BSD projects have prospered after their forks. The reasons given for forking LibreSSL rather than trying to fix openssl were sound at the time and that project has more or lived up to its more limited expectations. Various bits of the internet has seen libraries swapped in and out over time and it will be no different here.

2
0
Charlie Clark
Silver badge

SNAFU

I was checking with someone on Friday about this who maintains a downstream (Python) package based on openssl. Not only was this a push-me-pull-you but the different releases also had different breakages.

It would be less bad if openssl didn't have such a fucked up versioning system. It would be marginally less shit if they actually stuck with the one they have. But they didn't. Re-releasing effectively negates the crypto-hashes of the software. Not so clever for crypto-software.

The thing is that the project is now well-financed thanks to some PR-tastic donations by the mega corps. But it doesn't seem to be reflected in release management.

I've just checked an libressl is now in Macports. Time for port uninstall -f openssl and port install libressl methinks.

0
0

Smut-seeding Prenda Law ringleader must sell home to pay $2.5m debt

Charlie Clark
Silver badge

Re: Normally....

Have they also been debarred?

3
0

Manchester 'wins' £10m to test talking bus stops

Charlie Clark
Silver badge

Re: Northern Power House my fat arse

Manchester: The Turd They Keep Trying To Polish.

To be born in Manchester is to win the first prize in life. FTFY

3
1
Charlie Clark
Silver badge

Re: Northern Power House my fat arse

Don't forget that Maggie had to have second law explicitly further deregulating Manchester's buses so that her cronies at Stagecoach and Arriva could get on with their low wage, low service offerings.

I don't live there any more but when I go home it seems to me that the GMPTE (as was) has been growing a pair over the last few years. Especially the way the tram tendering has been handled.

I now live in Germany so find all the British ticketing systems stupid because they pretend that pricing has any relation to the length of an individual journey. Zonal pricing is the only way to do things.

4
0

Infosec bods rate app languages; find Java 'king', put PHP in bin

Charlie Clark
Silver badge

Re: PHP

in which case the sql injection prevention which is still part of the input filtering will kick in. It's not ideal, but it does add an extra layer of protections just in case it's necessary

I've yet to see any kind of input filtering with respect to the database that wasn't basically a farce. It's a sticking plaster on a sieve. It adds to the maintenance but not to the value.

Sack any developer who writes code that doesn't pass the data in as parameters.

0
0
Charlie Clark
Silver badge

Re: PHP

input filtering

This worries me. What do you mean buy it? I've only ever seen it used in systems that only looked like they were more secure.

If you aren't passing parameters into a prepared statement then you are doing it wrong. It is the DB's job to handle the parameters.

2
0
Charlie Clark
Silver badge
Thumb Up

Re: PHP is filth

I totally agree with you: PHP is evil.

However, chacun a son goût and all that.

0
0
Charlie Clark
Silver badge

Re: I have to wonder...

As noted by another poster: it's often both.

As a language PHP contains more than a few design flaws which make code inherently unsafe: not being strongly typed is certainly one of the biggest problems. It's certainly convenient but you can end up paying a lot just for that.

2
0

PHP 7.0 arrives, so go forth and upgrade if you dare

Charlie Clark
Silver badge

Re: Not backwards compatible...

Promises are making callbacks look kludgy and antiquated.

Because that's exactly what they are.

0
0
Charlie Clark
Silver badge

Re: Not backwards compatible can cause a lot of problems

Particularly in 3 which now complains if you've mixed tabs and spaces for your indenting. It is bad practice and should be avoided, but it's not exactly the easiest thing to spot if you've got limited tools to hand at the time.

Why? It removes ambiguity. Which text editors can't be configured to display control characters?

0
0
Charlie Clark
Silver badge

Re: Not backwards compatible can cause a lot of problems

You don't need this to be part of the syntax to incorporate it into coding standards. All other languages are capable of having automatic coding standards checks without this.

It's Pythonic to make it both required and obvious. It means one less line in your own coding standard. This is straight from any good UX book.

Yes, the whitespace pisses off coders coming from other languages which use other block conventions. But they're just moaning about their cheese being moved. From all other perspectives it is literally a no-brainer.

2
2
Charlie Clark
Silver badge

Re: Not backwards compatible can cause a lot of problems

Any language that uses "whitespace" as a core feature is f**ked up by design from the start!!.

It's not a feature of the language, it's part of the syntax. A subtle but important difference because it emphasises readability as a desirable characteristic of source code. But, hey, who needs code review?

5
1
Charlie Clark
Silver badge

Re: Not backwards compatible...

I remember someone telling me that when PHP5 came out he decided to switch to Python because either way he had to learn a new language.

Rewriting your own code is often not the biggest problem for a version change: dependence upon third-party libraries can be a real deal-breaker.

I hate PHP with a passion but the new version does bring some significant performance and memory improvements. This might be attractive if you can switch with minimal changes.

OTOH just drink the Node.js kool-aid and go with the callback flow!

1
0
Charlie Clark
Silver badge

Re: Not backwards compatible can cause a lot of problems

Apart from the lack of support for u"" and b"" literals, there is remarkably little difference between 2 & 3 syntax and a compatibility shim is tiny.

The real problem is that Python 3 is only ideally better than Python 2. It brought no performance improvements.

Things are only now starting to change with async.io

PS. I want my print statement back. I've been writing Python 3 syntax for years and I still don't think that print should be a function. Even less with f"" literals in 3.5

1
0
Charlie Clark
Silver badge

Re: They had to release it as v7

Cos perl6 will be out in a few weeks

'cos we never heard that before! ;-)

2
0

Booming Ballmer bellows 'bulls**t' over Microsoft's cloud revenue run rate

Charlie Clark
Silver badge
Stop

Re: Hang on, is Ballmer starting to have a vision ?

Microsoft made hand-over-fist during Ballmer's tenure. As a sales guy he really understood revenue and how to maximise it. If Azure isn't making money then making this known will really help focus those responsible.

He was less successful in the development / vision area which gave us Vista and Window 8. Okay for some of the shit in Vista, Gates was responsible and someone should have been in place to stop Sinofsky turning 8 into his own private toy.

But where Ballmer really fucked up was in acquisitions: aQuantive, Skype, Nokia, etc. But he'd more than earned the money to do this. IIRC MS profits per quarter more than covered those fuck ups.

And by keeping his shares he's also keeping his money very much where his mouth is.

10
1

Popular 3G/4G data dongles are desperately vulnerable, say hackers

Charlie Clark
Silver badge

Re: Cellular modems

Yep, my trusty old ZTE dongle only understand AT commands and you need physical access to fuck with it.

That said, I bet the firmware is a pile of crap.

0
0

CloudFlare intros HTTP/2, so we can ‘spend holiday time with our family’

Charlie Clark
Silver badge
Go

Great news

I take my hat off to CloudFlare for really working hard on this and providing it at no extra cost.

7
2

Monster fund manager sticks pin in Silicon Valley's unicorn bubble

Charlie Clark
Silver badge

A webscale Ponzi scheme

An increasing number of unicorns is an essential part of the private equity culture. Profits used to be made on IPO or acquisition. But the extended, er, grooming of the unicorns now gives opportunities to snare other investors, including retail ones, and sucking in more money for a smaller piece, thus driving up the valuation. A high valuation means a higher cash-out for those with preferred stock.

Thus Goldman Sachs was selling bits of Facebook to private individual ones before IPO. This was very close to breaking SEC rules about the number of investors you can have before you have to go public. Since then the rules have been relaxed including through the cleverly titled JOBS Act, which now allows the banks to finance private equity using crowdfunding. What could possibly go wrong?

Add to this the artificially low interest rates which have savers chasing yields harder than Frank Gallagher chasing a free drink and you've almost got perpetual motion. Almost. With the Federal Reserve tipped to raise the base rate to, shock horror, 0.5%, the party could be coming to an end. If it wasn't for the financial repression in Europe and Japan ensuring lots more funding. The scale is smaller but this has shades of the sub-prime mortgage scam in it: German savers ended up holding some of the biggest turkeys. Bond yields in Germany are now largely negative, in Switzerland entirely negative.

But even with all this let's not ignore that this structure has led to some successful companies: Facebook has a nice profit margin; Airbnb definitely has legs; NewRelic provides a monetised service. Some of the others are spectacularly anti-profit (SnapChat, WhatsApp) – way to go guys – and we are close to the dotcom assumption of scale automatically being followed by profit. But there is still too much faith in being able to just add webscale to a good idea to get a huge profit. How on earth is Groupon still in business? Some of the startups outside San Francisco are actually making things and might surprise us yet.

2
0

Google to end updates, security bug fixes for Chrome on 32-bit Linux

Charlie Clark
Silver badge

Re: It's not 32-bit that's the issue

Why should Google support those 32-bit operating systems? They never promised to support them for that long. And for desktop it really is a bit overkill.

TBH a lot of this LTS is hooey. RedHat et al. promise to support stuff but in fact you're often left in the lurch when upstream maintenance ends.

0
0

If a picture tells a 1000 words about latency, Google won't load it

Charlie Clark
Silver badge

Meanwhile in Germay

You can now buy SIM cards with virtually unlimited traffic WhatsApp. TopUp requirements are minimal. No use to me as I don't use it but interesting all the same.

Net neutrality: who needs it?

0
0
Charlie Clark
Silver badge
Coffee/keyboard

Re: The sites i visit...i NEED to see the pictures

Er, is that just coffee on your keyboard! ;-)

2
0
Charlie Clark
Silver badge

Re: So far you rarely wait for images

I don't see DNS queries as the real problem. And I've given up worrying about JS libraries: hopefully Houdini will allow things like JQuery to get slimmer over time but the important thing is people letting the browser decide how to do things and put load as much JS as possible after the onLoad() event.

http/2 should bring significant improvements but as long as people insist on using multi MB big images for thumbnail previews then websites will continue to get slower.

0
0
Charlie Clark
Silver badge

So, all good then! ;-)

1
0
Charlie Clark
Silver badge

Re: Déjà vu

TBH better to have control in the browser, which this kind of proxy setting does. Because "retina" websites are filling themselves with fooking huge images that generally get downloaded whatever the device.

0
0

Sued for using HTTPS: Big brands told to cough up in crypto patent fight

Charlie Clark
Silver badge
Stop

Here is my suggestion to fix this ludicrous aspect of the American way.

Pretty numptyish solutions to the problem.

1) "person in that knowledge field" is an even more difficult term than the "reasonable person" making an obvious discovery. If you look at the history of patents most abuse has come from large companies with more resources than patent holders. What you suggest would further entrench this system.

2) don't encourage even more litigation. In such an unlikely situation then the government should simply license the relevant patents.

The problems with the US patent system are well known: patents in too many fields are granted too readily and the courts, notably the one in east Texas then get to deliberate on their validity.

The US patent system must be overhauled so that it is sufficiently resourced to check patents. In the case of some of the vaguer software and business patents, which are the ones that cause most of the problems, applicants could be required to demonstrate specific applications. Because it is often the blanket application of a relatively minor patent across a whole field that causes problems. Cf. this one and the website plugin one. The patent clerks should have the authority to reject these applications on sight – though applicants should also have the right to appeal.

14
0

So why exactly are IT investors so utterly clueless?

Charlie Clark
Silver badge

Sort of – losses in one investment can be offset against profits elsewhere but you generally don't want all your investments to flop (unless you're Goldman Sachs selling mortgage-backed securities…).

The tax-advantages are important only as part of the bigger picture: borrow someone else's money (obviously, you don't want to carry the risk yourself) at the current artificially low interest rates (cheap credit is being paid for by screwing savers) and invest it instead of your own money. Any profits can be funnelled out via the most tax effective means. Publicly listed companies are currently doing this: borrowing money to buy their own shares instead of paying dividends Private equity has a few more tricks up its sleeve such as preferred stock which virtually eliminates risk for the privileged few. Inflating the value of RsWyp is important in sucking in other people's money to allow the scheme to run to fruition. Here again those artificially low interest rates play their part as suckers looking at returns of 0.5% (at best) on safe assets are attracted by RsWyp's potential due to its phenomenal growth. And their goes your pension…

18
0

BOFH: How long does it take to complete Friday's lager-related tasks?

Charlie Clark
Silver badge

Re: BOFH getting soft in his later years ?

Why should she care as long as she's getting paid. After all, she's probably got a boss of her own…

You seem to have forgotten that the BOFH has already met his match.

12
0

Mobe-maker OnePlus 'fesses up to flouting USB-C spec

Charlie Clark
Silver badge

Re: Standards, for a reason

Trading standards should be able to enforce some kind of notice or otherwise withdrawal from sale.

0
0

Nominet to hike price of UK web domains by 50%

Charlie Clark
Silver badge
Go

Re: Regulation?

I think you're spot. Articles 28 and 29 of the company could probably be legally challenged: giving executives power over the board is definitely non in members interests: the board is supposed to supervise the executives "for the benefit of the Members as a whole…" Article 1A.

There are no specific provisions about being a non-profit, but seeing as this is usually allied with special tax treatment, this is probably deliberately so. However, the purpose of the company seems to act in the interests of the members as long as they don't clash with those of the public. A bit nebulous but difficult to square higher prices without a benefit to members.

1
0

Mozilla annual report shows risky Google dependency now risky Yahoo! dependency

Charlie Clark
Silver badge

Re: Losing browser-market share...

So who's gaining?

Chrome mainly, though also Safari with the general shift towards mobile (from which Chrome also benefits). Weird because I find Firefox the best mobile because of the extensions.

People tend to stick with the default: IE on Windows, Safari on Mac, etc. People moved to Firefox and then to Chrome on Windows because Microsoft fucked up so badly.

4
0
Charlie Clark
Silver badge

Re: The problem

re. XUL

If you can't maintain something then you have drop it. Not so sure on what kind of UI stuff you really need for extensions – I've yet to come across an extension that only exists for Firefox that I need – but maybe following Vivaldi's lead there and switching to JS will be the way to go. Hell of a migration path but I suspect it could be partially automated. I hate JS but the toolchain is now pretty sophisticated and not having don't have to maintain your own multiplatform UI kit is a big win.

Vivaldi definitely, it's now my second browser, demonstrates that you can go beyond merely skinning Chrome.

0
1
Charlie Clark
Silver badge

Re: The problem

Dropping XUL and NPAPI were definitely sensible technical decisions.

As usual it's the "other stuff" that shows a lack of focus: fucking around with the UI and stuff built around new commercial agreements.

I've seen some good reviews of Firefox OS on tellies so that might be an avenue worth pursuing. There's no money in it for phones so they should drop that.

3
1

Spending Review: GDS gets £450m, Cabinet Office budget slashed

Charlie Clark
Silver badge

Those suggestions

a Common Technology Services programme will allow the Civil Service to purchase consistent, flexible and modern IT, driving savings and improving performance

Oh great, let's start doing everything different. Again! In systems procurement flexibility and consistency rarely go hand-in-hand are never seen with the word "cheap". Consistency usually goes with "standard" which can be simpler and perhaps cheaper. Well, that's the theory.

a new way of delivering digital services, Government As A Platform, will provide a common set of core systems that enable government departments to share digital services, technology and processes

This one's dead before it starts. There are no "digital services", just existing services delivered digitally.

the development of the GOV.UK Verify programme to enable individuals to prove their identity online and to access government services securely and safely.

Impossible without some form of electronic id-card with TFA (card and secure reader). Make it entirely voluntary and highlight the advantage for people of having a government system that can securely and anonymously verify identity. Could do a lot worse than buy in the existing the Estonian system. Or at least work with its components because the UK system will probably be subjected to more criminal energy than the Estonian one. By no means try and resuscitate old schemes or start with something blue sky.

Fuck, $ 450 will probably have been spent by the end of January. Time to buy shares in whale cruises, josstick factories and Vegas conference centres! Oh, and some "cowanking" space in London.

3
0

Hacker predicts AMEX card numbers, bypasses chip and PIN

Charlie Clark
Silver badge

Could have jobbed for a day in a trendy coffee shop…

OTOH given the number of cards Americans generally have all he probably had to was ask a few friends.

Don't quite know about US liability but in the UK this will mean that AMEX (and probably others) can be expected to be held liable for card fraud until they can demonstrate they have a fix. They normally insure against fraud but I can imagine the insurers also turning them down. Of course, any losses they do incur will be recouped through higher charges but in the meantime it looks like there's money to be made.

0
0

Forums