* Posts by Charles 9

8221 posts • joined 10 Jun 2009

Software can be more secure, says NIST, and we think we know how

Charles 9
Silver badge

Re: Maybe Hire Professional Software Engineers

"How about starting by hiring actual professional software engineers, who have been formally trained in a university environment?"

You got the money? Because the PHB's can't be convinced even by the legal department.

0
0
Charles 9
Silver badge

It IS impractical because of scope. Formal proofs tend to require specific conditions to work (like the lack of direct-access code in seL4, meaning it chugs). Plus no matter how you slice it, a module only has a limited base of knowledge: what goes into it and what it does with it (Chinese Room Problem). Thus why ROP and other exploits simply exploit the standard behavior of these modules to create mischief: a gestalt exploit, I call it (worse than the sum of its parts).

0
0
Charles 9
Silver badge

Re: Start by actually writing your own code!

So how does this apply to a sensitive subject like, say, cryptography? You can't trust yourself because you're not knowledgeable on the subject and therefore are likely to do it wrong (and it's definitely NOT something you can just pick up by reading a book overnight), but you also can't trust anyone else because it's SUCH a sensitive subject anyone else is likely to be incompetent, corrupt, or both.

3
0
Charles 9
Silver badge

Re: Start by actually writing your own code!

"I would argue the exact opposite. Using a library means taking code that has been designed to do a purpose and using it for that purpose. The library will have a clear and sensible API to achieve the goal you are attempting (and if it doesn't, don't use that library, use another or adjust your mentality)."

It could also be totally WRONG, which is the point. You're placing your trust in a third party; that third party can betray you, intentionally or not. Ever heard the phrase, "If you want something done right..."

2
2
Charles 9
Silver badge

Re: Additive Software definition.

Yes, if both take THE SAME measurements and compare notes in case one made a mistake.

3
0

systemd free Linux distro Devuan releases second beta

Charles 9
Silver badge

Re: level playing fields suck

But what about all the other mainline distros? Are you saying ALL of them are acting in a cartel?

0
0

If your smart home gear hasn't updated recently, throw it in the trash

Charles 9
Silver badge

Re: Logical conclusion if devices are unpatchable and blocked/remotely killswitched

Can't proxy a secure connection. You don't know the key.

0
0
Charles 9
Silver badge

Re: Preaching to deaf numpties

And if the devices are housed in uncooperative regimes?

0
0
Charles 9
Silver badge

Re: Logical conclusion if devices are unpatchable and blocked/remotely killswitched

No, because many won't work at all without being able to phone home, and that alone can provide the hole miscreants need: part and parcel. And people still demand them because they ACTUALLY USE them. Frequently.

0
0
Charles 9
Silver badge

Try getting a legislature to pass that, though. At the worst, ALL the manufacturers could threaten to leave en masse (and take their tax money with them) since they'll be acting in a cartel to protect each other (see oil industry). Plus there's always the gray markets.

0
0
Charles 9
Silver badge

Re: I'm Amazed

"Exactly. That's what people are saying: Don't buy the current rubbishy implementations of IoT devices, but maybe do buy their successors when it's clear that some thought has been put into the security design, and the manufacturers have some incentive to support the devices for a reasonable length of time."

And if that never shows and people STILL DEMAND IoT stuff while the manufacturers continue their shell games and bribe legislators to keep enforcement toothless?

0
0
Charles 9
Silver badge

"In the early days, not sure if still applicable, a Certificate of Conformty (CE) declaration had the name of the responsible individual on it, and their signature."

And like I said, what happens when that individual in question ups and disappears as suddenly as the company he or she represents? And all the legal records and so on turn out to be false as well because no government has the Big Brother resources to check everything?

0
0
Charles 9
Silver badge

"Since IoT devices will continue to be made it is better to focus on which practices will make them securer, and particlualry, how to rediuce the bad practices at even long-term-orientated manufacturers."

And what happens WHEN, in the final analysis, the chief reason they're vulnerable is because they exist at all?

0
0
Charles 9
Silver badge

How do you stop the fly-by-night companies who respond to legal trouble by vanishing?

0
0
Charles 9
Silver badge

Re: Not in the trash

Most are too toxic to recycle.

0
0
Charles 9
Silver badge

It's also Big Brother to require a license to use something in the privacy of one's home. Are you really OK with police inspecting your houses for TV licenses?

1
0
Charles 9
Silver badge

Re: "Stifling innovation"

Well then representative government in general is fatally flawed due to the human condition to subvert any checks and balances you throw up. Law after all is at the core just ink on a page.

1
0
Charles 9
Silver badge

Re: Product liability

Because the manufacturers play shell games. Hard suing a company that vanished the night before the news got out.

3
0
Charles 9
Silver badge

How do you survive skinny dipping in a raw sewer? Same situation.

IOW, you can't. Eventually the Internet will become too polluted to use. From there, it's either the Big Brother Stateful Internet or back to the Sears catalog. Nothing in between.

1
0
Charles 9
Silver badge

No, it'll go the other way where killing the Big Brother circuit kills the whole thing, voids the warranrt, AND may put you criminally suspect for tampering.

3
0
Charles 9
Silver badge

Re: Given some instructions...

And how many people STILL can't reprogram digital clocks (like on VTRs) after a power failure or being plugged in for the first time?

4
0
Charles 9
Silver badge

In other words, the Stateful Internet, aka Big Brother.

1
0

Clients say they'll take their money and run if service hacked – poll

Charles 9
Silver badge

Re: No they won't

Also, if it's going to be a transportable domain (meaning you control the section just before the .com or whatever), those aren't cheap and will be recurring costs, which many people would find too much for what it's worth to them.

0
0

Hackers actively stealing Wi-Fi keys from vulnerable routers

Charles 9
Silver badge

Re: Simples, buy your own better router and secure it properly.

Point is, a directional antenna can be very sensitive, and a window is normally radio-transmissive, so you're prone to leakage. IOW, it may not be as tough a time as you think.

0
0
Charles 9
Silver badge

Re: Talk Talk Spokesperson

Then the lawyer calls back and demands someone up top before a lawsuit lands on the legal team's desk?

0
0
Charles 9
Silver badge
Facepalm

That don't even make sense. As Pi is an irrational number, there's no such thing as a last digit: not even a repeating one. If Pi terminated or repeated, it could become rational and could be expressed exactly as a ratio.

Besides, under AES-256, you probably couldn't get away with more than 32 digits (32 characters * 8 bits = 256 bits), maybe 64 if you go the hex route. I personally use a 64-hex-character scramble, which also hits the limit.

0
6
Charles 9
Silver badge

Re: Simples, buy your own better router and secure it properly.

Even with a sensitive directional antenna aimed through a window?

0
0
Charles 9
Silver badge

Re: Talk Talk Spokesperson

What's their response when it's a LAWYER calling?

0
0
Charles 9
Silver badge

Re: interesting

That's IF you can get one that works bug free. Harder than it looks.

0
0
Charles 9
Silver badge

Re: MAC filtering, all that does is create trouble for legit users.

Unless they have the capacity to just take the RACK, and I HAVE seen whole racks get stolen.

0
0
Charles 9
Silver badge

Re: What?

Our service. Our rules. Take it or leave it. Oh, and BTW, many ISPs are the ONLY ISPs in the immediate geographic area, meaning leaving it means leaving the Internet.

2
0

Radar missile decoys will draw enemy missiles away from RAF jets

Charles 9
Silver badge

Not to mention a modern missile has to lock onto a plane that can move and turn very quickly, which is why the modern Sidewinder missile (one of the most ubiquitous infrared-homing air-to-air missiles in modern military history) has the capacity to keep tracking up to 90 degrees off boresight: so it can still track plane as it turns, something a laser tracker will have a harder time doing, which is why it normally isn't used in air-to-air situations. The only laser-guided missiles in use in the US at the moment are air-to-ground missiles: the Hellfire and certain versions of the Maverick.

0
0

Standards body warned SMS 2FA is insecure and nobody listened

Charles 9
Silver badge

Re: Some TOTP App

And if they find a way to steal the seed data?

0
0
Charles 9
Silver badge

Re: "the statement has had virtually no impact some six months after its announcement"

But many times the action needs to be done QUICKLY, like within MINUTES. Otherwise, you can just insist they go to a brick and mortar branch. What then when many people don't have a second means of reaching them in that kind of window?

2
0
Charles 9
Silver badge

Re: "the statement has had virtually no impact some six months after its announcement"

And what about those for whom SMS is the only possible second factor? Otherwise, you have to lump them with the numerous people WITHOUT a second factor.

4
0

Plastic fiver: 28 years' work, saves acres of cotton... may have killed less than ONE cow*

Charles 9
Silver badge

Re: Here's a thought...

Only if a DEBT is in play. Now, for your restaurant situation, that's correct because the bill represents the debt, but a shopkeeper is under no such obligation since he can simply refuse the sale and turn you out; nothing changed hands there, no debt is involved.

0
0
Charles 9
Silver badge

Re: ROFL

"The best point made regarding vegetarianism being a bad thing was with regard to children and animals being fed diets their bodies can't handle. Definitely something that vegetarians and Vegans need to be aware of - but it;s also a very tricky subject, as it isnt just children fed vegetarian diets that have had problems (eg: kids getting rickets due to an insufficientlyvaried diet)."

I give the simplest argument against veganism in general like this: if man were meant to only eat vegetables, why did we evolve with canines?

1
0
Charles 9
Silver badge

Re: Why tallow?

"Because they are making a material to print currency on, not baking a fucking cake!"

Which doesn't answer the question. Why tallow and not vegetable shortening? No animals are harmed and it even has a higher melting point.

0
0
Charles 9
Silver badge

Re: Not much of a chemist then?

Shortening can top that, melting around 47C (~118F), so I doubt that's the reason. I will admit there could be other factors, though. I'm just trying to learn specifically which.

1
0

Take that, creationists: Boffins witness birth of new species in the lab

Charles 9
Silver badge

Re: Creationists ?

"2. I think creationists have never heard of Mitochondrial DNA ... that discovery proves creationism is just "wrong", no ifs, buts or maybes."

Exactly why does mitochondrial DNA conclusively prove creationism is wrong beyond any ability to argue back, even from an irrational viewpoint (and remember, you can't convince an irrational person)?

1
0
Charles 9
Silver badge

Re: I normally avoid discussions like this

Is it? Or is it really just a festival for the Winter Solstice manhandled into something compatible?

0
0
Charles 9
Silver badge

Re: "Random Mutation

EXCEPT, as they say, history is written by the winners. Astronomical as the odds can be, once they DO hit, that one advantage immediately smothers all other representations. The news only ever talks about the people that WIN the billion-dollar Powerball. No one ever talks about the billions of LOSING tickets along the way. Same distortion of perspective, which also applies to the question of why we live in the universe we live now with such astronomical odds of even existing. The very fact we exist shows the odds must've hit at SOME point.

1
0
Charles 9
Silver badge

Re: Annoying the Powerful

The creationist would just reply, "He would not be 'pissed off,' as you claim. He would be pleased that true believers can recognize His work and realize it for the Test of Faith it truly is. Not that you'd ever understand, heathen, since this is a gift only given to the true believers."

Who was it that said that it's impossible to convince the truly irrational?

0
0
Charles 9
Silver badge

Re: Maybe

"Religious persecution? Really? So starvation, wanderlust, adventure, or anything like that played no significant part in the population of the country?"

Well, it was usually persecution of SOME sort that drove them: religious, political, or economic, and it applied a lot during the American expansion. Irish immigrants and the like moved west to Kentucky and so on in response to the Whiskey Rebellion (political persecution--taxes). A lot of the Mountain Men were escaping past lives or trying to make a living when there was none back home (economic). Many were fugitives escaping prosecution. A lot were being enticed by offers (many of the wagon trains were formed for this, and there was the Homestead Act).

Wanderlust and the like probably enticed some people, but the vast bulk of immigrants and pioneers had simpler motives: either a reason to go somewhere or a reason NOT to stay home.

0
0
Charles 9
Silver badge
Trollface

Re: Power-crazed scientists create unnatural species!!1!

"A group of so-called "scientists", in a futile attempt to deny the majesty of God's creation, have done the unthinkable. These individuals, whose funding should immediately be rescinded, have created in their unspeakable experiments a chimera-like living creature."

If it were truly against God's Will, it would never have occurred. Otherwise, he has no capacity to stop man; ergo, God is not omnipotent.

0
0

Printer security is so bad HP Inc will sell you services to fix it

Charles 9
Silver badge

Re: Just checking

The only way to ensure a manufacturer never baits and switches you is to roll your own from scratch. Good luck.

0
0

Google turns on free public NTP servers that SMEAR TIME

Charles 9
Silver badge

Re: We have also a Google time now?

You forget (1) the speed of light is inconsistent in atmosphere and is usually some fraction of c, and (2) you tend to have multiple samples of varying consistencies, including consistently OFF TARGET.

1
0
Charles 9
Silver badge

Like I've said, give or take a second is OK for casual time synchronization, plus you have to consider the contention of the Internet itself when considering the precision of your responses. Beyond 1s precision probably requires a dedicated time source.

0
0
Charles 9
Silver badge

Re: Sub-second accuracy

From what I've read, HFT requires times precise AND accurate to within 1us.

1
0
Charles 9
Silver badge

Re: We have also a Google time now?

The problem there is that GPS signals can drift due to atmospheric interference (that's also why your GPS fix tends to drift even when you stand still). They're only good for casual time synchronization, in which case if you have an internet connection, it's easier to just sync to a time pool since the connection's so terse even a dialup connection can handle it.

For high-precision, high-accuracy demands, you're probably going to need your own source for consistency.

1
0

Forums