* Posts by Rob Moss

42 publicly visible posts • joined 6 Jun 2007

Blow me down with a feather, well, storage server software update gone awry: Nest vid streams go dark for 16 hours

Rob Moss

I, personally, have no problem with Google trying to bring me and my stuff into its ecosystem, as long as they let me get the data out again. Most Nest users were pissed off with Google's decision because they used things like IFTTT to control Nest from elsewhere. It's a "learning thermostat," sure, but it can't automatically switch on the heating when my, my wife's or one of the kids' smartwatches realises someone is awake and moving around, as long as it's after a certain time in the morning, or switch it off when we've all gone to sleep. Despite the much-vaunted integration with Android phones' location services, it's pretty useless unless you use some third-party integration to work out whether at least one of six mobile phones is at home.

I have no problem with advertising. I have no problem with information about me being provided to advertisers. It's a two-way thing. I get to use Google and its myriad of services for free and, in return, they present me with tailored advertising which, on occasion, is spectacularly useful. I am no privacy Nazi. I like shopping.

Crypto needs more transparency, researchers warn

Rob Moss

400 core years

That's not really very much. You can do that in less than an hour on AWS for around $200,000. There are more cost-effective ways to do it, but if your target is worth that much to you then it's pretty easily done.

Dell opens Oracle exit route for SAP data shops

Rob Moss

That sounds like a recipe for disaster. I'll be sticking to the tools SAP provide. If it necessitates a hardware upgrade just for the purposes of exporting the Oracle data, it'll still be worth it.

36 idiots running SAP under attack after flubbing 2010 patch

Rob Moss

Re: 6 Years?

Patch a SAP system for a customer and avoid getting sued and make a profit and then come back and tell me 6 years is inexcusable.

The first thing you need when patching SAP is to be brave.

Rob Moss

Re: No, not really child's play

Used correctly, it's magnificent, especially in larger companies. If you're a major supermarket, having a programme which complies with all known EDI standards for electronic tender agreements probably saves you the upfront and maintenance cost of SAP in year one. Sure, there are competitors, but there are reasons why SAP is reassuringly expensive - it's because you can get rid of 90% of your staff if you use it "properly".

Of course, few companies ever get that far.

Rob Moss

No, not really child's play

Applying a patch in the SAP world isn't really like applying a Windows Update. Everything has to be regression tested on a copy of the system with the patch applied. Then a downtime window has to be identified, and patching these things isn't necessarily quick. The more SAP products you use, the further your system landscape will spread. There are development, QA and production servers (potentially, plus others) for each major component you're using.

Of course, I'm not excusing the failure to apply the fix for the security flaw. But "child's play" is the wrong way to describe it. There will be a 6 month project plan that goes around the application of a set of patches. Quite often, it's one of the things that gets left by the wayside just because it's so complicated. Additionally, because SAP's Maintenance Optimizer feature in SAP Solution Manager is currently broken (see SAP Note 2305937, https://service.sap.com/sap/support/notes/2305937 - SMP login required) it's currently very difficult to apply the patch in a way most SAP sysadmins are used to, requiring them to familiarise themselves with SAP Maintenance Planner, a horrible HTML5 thing that's got about half the functionality of the Maintenance Planner which leaves it difficult to keep systems in sync.

If any of these companies want a hand applying the patch, I can certainly help.

Now you can easily see if a site's HTTP headers are insecure, beams dev

Rob Moss

Re: Very arbitrary definition of "secure" headers

Not really, AC. Strict-Transport-Security doesn't rely on browser support to be useful. Every website should be served up over HTTPS, and every website should also implement the HSTS header, because for those browsers that support it - and bear in mind MS are working very hard to kill off IE <11 - it means there's never an HTTP request that needs redirecting after the first ever request to the site. There are also preload lists implemented by browsers.

Content-Security-Policy has one very simple setting - upgrade-insecure-requests - which you can set to ensure that none of the resources linked from within your page are ever served over HTTP. I don't understand how anyone could argue against that being a good idea. You can also set all sorts of other restrictions, which are great if implemented properly. At least having the header served up shows that a non-zero amount of thought has gone into external resources.

Public-Key-Pins is something everyone should just do. Serve up two pins - one relates to your private key, and the other relates to a backup private key. If you change your certificate, so what? It's the same private key, and hence the same public key. You serve up the backup pin in case your private key is compromised. It's a commonly held myth that the pin is for the certificate. It isn't. It's a hash on the public key. Not the same thing as a certificate.

Why wouldn't you set X-Frame-Options? What more efficient options are there for stopping your site being framed as phish bait?

Why wouldn't you set X-XSS-Protection? Leaving it unset allows IE to bypass its own filters for backward compatibility purposes. It's madness to suggest this means nothing. For IE, it means everything, and IE remains the number one target, even if it's no longer the most popular browser.

Why wouldn't you set X-Content-Type-Options? Are you suggesting it's OK not to set it if you couldn't be bothered declaring content types correctly? Or if you have someone who might use your site with an older browser? Screw those guys using newer browsers, because there's someone using an older browser which will ignore this header, I'm going to leave an XSS hole open for them.

Your caching safety headers will leak information to disk. They don't cut it. You should have said:

For HTTP 1.1:

Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0, max-age=0, s-maxage=0

For HTTP 1.0:

Pragma: no-cache

Expires: 0

An interesting comment, but in no measure a demonstration of understanding of web application security...

Sainsbury's Bank web pages stuck on crappy 20th century crypto

Rob Moss
FAIL

Awful configuration

There are two servers in scope here. One is www.sainsburysbank.co.uk, which is used for sign-up. The other is online.sainsburysbank.co.uk, which is used for online banking.

www.sainsburysbank.co.uk is poorly configured. Only TLS 1.0 and SSL 3.0 are supported. RC4 is supported with SSL 3.0. There is no protocol downgrade attack prevention implemented. Hitting a browser which communicates using RC4 over SSL 3.0 with a bit of injected JavaScript can reveal their logon cookie within 52 hours, on average. With enough targets to attack, you can use the normal distribution to estimate the number of attacks you'd need to make in order to guarantee stealing someone's login details.

This however, isn't the problem. online.sainsburysbank.co.uk is vulnerable to the POODLE attack, which means that with a little bit of effort, you can steal people's authentication cookies in Starbucks. If you can't get to Starbucks, no problem! There's a flawed but not entirely unreasonable list of cipher suites available offered by the server. In reverse order. Least secure first! Pretty much everything will connect using TLS 1.0 with the TLS_RSA_WITH_RC4_128_MD5 cipher suite. Just to make things extra-porous, there's no session resumption, which makes the attack on RC4 a lot easier. It's not the worst configured TLS implementation I've ever seen, but it's not far off.

Eighteen year old server trumped by functional 486 fleet!

Rob Moss

John Lewis are still hiring COBOL developers.

Server retired after 18 years and ten months – beat that, readers!

Rob Moss

Windows NT 4.0 servers

My previous employer, whom I left around 6 years ago but who sadly went bust last year, had two Windows NT 4.0 servers. One was a fax server and the other was a phone system server. The fax server was the younger of the two, a Dell PowerEdge 2350 (I think that's the right model number) purchased in 1998. It had a Brooktrout ISA card handling fax duties. The same server was still faithfully sending faxes out after numerous OS and software upgrades 17 years after it was first implemented. Not constant uptime, but not bad.

The older server was a homebrew tower PC built at great expense by a company named Armstrong Communications in early 1994. Originally running then-just-released Windows NT 3.1 Advanced Server on an IntelDX4 80486 processor with 16MB RAM and an HP 2.1GB hard disk (sadly I can't remember the spec any better than that), it was upgraded to Windows NT 4.0 Server in 1996, was hauled up to SP6a in around 2001, and apart from that was only ever switched off when the lights went out. None of the components were ever replaced until the server was superseded by a Mitel 3300 in 2012. However, for some reason I will never understand, when they switched the old server off, some incoming phone numbers stopped receiving calls. When they switched it back on and started the services back up again, the incoming phone numbers started receiving calls again. The server was left performing this mystical, mythical, magical wizardry for the following three years until the company was liquidated in early 2015. Not 21 years' uptime, but 21 years of largely uninterrupted, error-free service.

I'm still unsure where this box ended up, but unfortunately my best guess is it's been recycled. Shame, really - there can't be too many working IntelDX4 processors left.

BOFH: Taking a spin in a decommissioned racer? On your own grill cam be it

Rob Moss

My favourite one for many, many months.

Sysadmin's former boss claims five years FREE support or off to court

Rob Moss

...unless the term which discusses other unenforceable terms is itself unenforceable.

Citrix's boutique virtualisation strategy is working. Mostly

Rob Moss
FAIL

Article image

The monitor isn't plugged in.

Terror in the Chernobyl dead zone: Life - of a wild kind - burgeons

Rob Moss

Re: Fukushima photos

This is all absolute rubbish. Rain doesn't glow. The Tsar Bomba had a lead tamper instead of a uranium-238 fusion tamper, so there was very, very little nuclear fallout. There was no measurable fallout outside the exclusion zone. I suspect the poster has no idea how much nuclear fallout is dropped by a nuclear weapon. And probably watches too many movies. And believes them.

Google to French data cops: Dot-com RTBF? Baiser ma DERRIERE

Rob Moss

Re: "[..] it is not the law globally"

They could just prevent access to all google-owned domains except google.fr in France; I'm pretty sure that would cover the ruling and it would also wake the authorities up to what they're asking once everybody went absolutely mad at them. The Spanish have lost a great many small publishing companies since the introduction of the Google News Tax law led to the closure of Google News in Spain. No doubt that one will be repealed sooner rather than later.

The 'echo chamber' effect misleading people on climate change

Rob Moss

Re: Consensus is not science

Consensus is achieved through peer review. In climatology, this doesn't happen, because too much is covered up and hidden away. Therefore, there can be no consensus. I don't see quantum or nuclear physicists saying "you can't see this evidence in case you make me look silly" - they're rarely wrong, and when they are wrong, everyone can prove they're wrong because everyone has all the data. Climate scientists are wrong all the time, but hide their data in case someone embarrasses them and swings the debate. I'm neither an advocate nor a denier of MMCC or whatever you want to call it - I just think that the entire business circling around it is genuinely offensive and refuse to get involved either way until people start acting like scientists.

Google versus the EU: Sigh. You can't exploit a contestable monopoly

Rob Moss

Regulation

"Only non-contestable monopolies need regulation."

That simply isn't true. It would be fair to say that only non-contestable monopolies need regulation in order to prevent the abuse of that monopoly. But if a company owning a contestable monopoly is doing something which is within the rules but that "hurts" a majority of consumers to the point where they believe something "must be done," then, democratically, that contestable monopoly needs regulation, because any competitor will have to perform that same legal abuse in order to compete.

Scientific consensus that 2014 was record hottest year? No

Rob Moss

Re: Picking ever shorter time periods to deny climate change

What we have today is 73GW of capacity, and most of it goes spare to cover outages - peak winter output is only 59GW. In which case, to simply replace what we have today, we would need 36,500 2MW £4m wind turbines at a total cost of £146bn. If your rule of thumb applies and we really need double for when the wind isn't very good, we need 73,000 at a total cost of £292bn. I'm sure we'd get a volume discount, but I'm not sure how environmentally friendly that idea is. I think your rule of thumb is probably a little conservative, though - I don't think that would be anywhere near enough to be able to rely on it.

The best (EPR) nuclear power plants put out around 1600MW of electricity and run 24/7, whatever the weather. We'd need around 45 of them. The cost of these things is currently running to around €8.5bn, or around £6bn. That puts us at around £270bn for a wholesale replacement of everything we currently have, which would be a bit unnecessary - we just want to get rid of the crap stuff (like wind and wave stuff). But even if we did, it's still cheaper and a hell of a lot less of an eyesore (more fag packet maths says that would be around one turbine every 200 metres of suitable terrain - and that's using ALL suitable terrain - every hill in the country) to take the nuclear option. And these things don't cost that much to run, certainly nothing like as much as a hoard of 73,000 wind turbines, and electricity could genuinely be a free public service, meaning your fossil fuels could go tomorrow and people could stop dying in the winter. I'd take the hit and invest the money if I were in charge. The flood of international investment from businesses who wanted to move all their operations here would be overwhelming and insanely profitable.

Rob Moss

Re: Picking ever shorter time periods to deny climate change

I've got about halfway through the five pages of comments and the only concrete conclusion I've got is that anyone who describes another human being as either a "warmist" or a "denier" has very little useful information to divulge. Almost everything that goes with it is rhetoric. There are even pages such as this one which train warmists on how to argue with deniers, and others that provide the opposite service. Science is cold, heartless, emotionless and impersonal. If you can't prove something to the point where nobody argues with what you've said, it isn't really science, it's more speculation. As soon as the answer becomes something to be discussed rather than something that is accepted, your question remains unanswered.

Ignoring the rhetoric both on the site and in Ian's post, the data contained on this site appears to be sound. What does it show? That temperatures are going up. A bit. That's nice. It doesn't tell me anything apart from that the temperatures are going up a bit.

But do I really care? Another thing I've come to realise having followed this discussion is that considering the complexity of our global climate, people who are arguing over whether the temperature has gone up by a bit, a lot or not at all are not the sort of people we should be listening to.

Building enough wind turbines to provide all the electricity we need all of the time would be an interesting thing to hear about. Will it turn enough kinetic energy into electrical energy to stall winds enough to further change climate? I want to know. Building enough nuclear power plants to provide universal free domestic electricity in the UK would apparently cost around £100bn. If we assume everyone suddenly dumps petrol and gas for electricity that jumps to no more than £150bn. Why has nobody asked me if I want to do that instead of "grow the green economy"? And why do people keep bleating on about global temperature change and sea levels when what I actually care about is my utility bills and my tax bill? I don't live near the sea, and for most of the year I'm cold.

Will multi-tier flash arrays come to a data centre near you?

Rob Moss

And when will we start to see desktop drives employing SLC, MLC and TLC in a single drive? Surely that's the logical extension of this? You don't need a huge SAN to have a clever controller.

How Microsoft can keep Win XP alive – and WHY: A real-world example

Rob Moss

Not quite true...

...why not just run the application through Windows XP Mode on Windows 7? Okay, so Windows XP Mode support dies off at the same time as Windows XP support, but that doesn't mean that you have to spend 100% of your time in an unsupported environment.

The importance of complexity

Rob Moss

Only a couple...

As a Mathematics graduate I generally find NP-hard problems to be the result of poor planning. I've come across a couple in the past where I had to write some code to take care of them - one to plan the route a set of delivery drivers all starting from the same place would take (basically TSP but with multiple salesmen) and another to calculate the optimal way to load these vehicles, bearing in mind that the stuff that was being delivered last had to go in first, and the stuff that was being delivered first had to go in last. The main problem was time dependency (it takes longer to travel along the M60 during rush hour, for example) but the NP-hardness of the problem wasn't really an issue. All problems are easy to solve given enough resource, and if you need too much resource, you're almost certainly solving the wrong problem.

Confirmed: Driverless cars to hit actual British roads by end of year

Rob Moss

There is no "project". It's just a car. That's the point - Google's car, for example, doesn't need any of these third-party aids. Everything it needs is in the vehicle. And after several million miles of autonomous travel, it's been crashed into once (in stationary traffic) and never hit anything. That's a better record than anyone I know has. Furthermore, software and hardware do not get tired, pissed, annoyed with the kids in the back, distracted by a low-cut top and a short skirt, distracted by someone else's car having a dent in it on the hard shoulder, blinded by the reflection off the bald head of the old man in the convertible in front... and they can quite easily concentrate on the behaviour of every moving object, no matter its size, within LIDAR range.

When is a manual intervention required? Never. Human beings should not be trusted with a two-ton lethal weapon.

Rob Moss

Re: All at once or none at all

It's been pretty much proven by Google already that it doesn't really matter whether other drivers are ducking and weaving all over the place. Your fully autonomous vehicle can see them coming via radar a few hundred yards off, detect the erratic driving patterns and act accordingly to maximise safety and efficiency. If anyone's going to get hit or delayed by someone driving like a nutter it's the poor guy with the non-autonomous car who has to try to react to what's happening all by himself, with only two eyes and his own wits, reactions and personal driving experience to help him. As soon as one of these things actually goes on sale, it'll have many millions of miles of driving experience per week and, as long as the programmers are up to it - which so far they seem to have been save for sitting in the centre of the lane on a Tokyo highway (nobody else does, they all make themselves an extra lane, so it caused a traffic jam, now apparently fixed) and the sheer idiocy of both the guy who rammed one in stationary traffic and the other guy who switched off the automation and drove it into a post - these vehicles will be safer and more efficient than anything we've ever seen on the road.

And better still, if you root it, you can teach it to tease traffic wardens.

BBC abandons 3D TV, cites 'disappointing' results

Rob Moss

I tried to watch the Wimbledon final in 3D yesterday. Just as I did last year. Because some idiot decided that it was far more important to showcase the 3D effect that it was to provide good coverage, Djokovic was up close, Andy Murray was so small you wouldn't have been able to work out who it was if you didn't already know, and the angle was so flat you couldn't tell what was going on with the ball. 3D isn't bad per se, it's just that everyone rushes to get the most 3D-ish thing they possibly can at the expense of all else - including good coverage.

The future of cinema and TV: It’s game over for the hi-res hype

Rob Moss
Stop

Not entirely true

I'm not sure whether the author has tried watching any of Wimbledon in 480i as compared to 1080i, but the difference is most certainly worth having. Sure, the motion compensation gets horribly confused every now and then causing the ball to jump around for no particular reason, but at least in 1080i I can actually see the ball.

Review: Crucial M500 960GB SSD

Rob Moss

Fragmentation

Fragmentation does exist to a point - that's why you see different speeds with different sector sizes. The closer you match the cluster size to the page size, the better the performance you have, but the more disk space you waste. If you format your disk with 512-byte clusters, your 4K random reads will be rubbish on a disk with 8K pages. But if you format it with 8K clusters, it'll be spectacular by comparison. So you only get a speed increase from defragmenting an SSD if you cock up partitioning and formatting it in the first place.

Amazon yanks SimCity download from store

Rob Moss
Stop

It already exists!

You can play SimCity offline no problem. It's called Sim City 2000. And it's still better than this.

Unbelievably vast quasar cluster forces universe-sized rethink

Rob Moss
WTF?

London buses

So this quasar cluster is 4.5 x 10^24 London buses across? That's quite big. Four and a half yottabuses. Anything much bigger and we'll need a new SI prefix.

Six months under water and iPhone 4 STILL WORKS

Rob Moss
Alien

Ericsson R310s > iPhone 4

My dad once had an Ericsson R310s (actually he had several because the rubber used to perish). Supposedly it was pretty much the most rugged phone in existence, but my dad thought he'd killed one. He managed to sit in a jacuzzi with it in his pocket for 45 minutes, whilst switched on. He didn't realise until he got out. It was dead and there were waves in the screen. But! We left it to dry for two weeks and popped a new battery in it and it was as good as new. So much for "waterproof" - the water got in, and then somehow even got back out again.

In terms of what's on the display, take the SIM out of an iPhone and switch it on. Doesn't matter where you are, it'll cycle through several languages for both the slide text and the emergency number text.

Rainbow plane warps in from gay dimension

Rob Moss

I've seen this one before...

http://i221.photobucket.com/albums/dd121/morris91_2007/austin_powers_jumbo_jet_2.jpg

Whining serial commentard bemoans Reg bullying

Rob Moss
Black Helicopters

Wow

I've just been having a little look on Google for "Aaron Kempf" and, it must be said, the results are hilarious. Aaron, you can't have it both ways mate, if you're going to abuse people, expect to get some abuse in return.

I hereby request that El Reg continues to harass Aaron Kempf online as much as possible. Preferably with a massive database. Run away, Aaron! The databases are coming! The databases are coming!

The iPhone 2.0 update - don't do it, kids

Rob Moss
Thumb Down

Oh my god

Why on earth is everyone so het up about all of this? Chill out a bit. Okay, so it's not Apple's finest hour. But they'll fix it because they have to. So your phone is out of action for, what, a couple of days? Big deal. Go outside, get some fresh air, enjoy your temporary freedom from that pesky boss and that pesky wife. It's no catastrophe. It's a blip. The fact remains that 90-odd percent of Apple customers think that the company provides them with products they love at a price they're more than willing to pay and offers them good enough service that they keep going back and they recommend them to their friends - and this will do nothing to change that. Most companies would kill to be in that position - would Microsoft take a two day outage to make people love Vista? I think so...

Thumbs down for the fanbois, the fanboi-baiters and all the people who think that because Apple got something wrong it's probably the end of the world and it's at least time for a huge rant.

Nokia unwraps bendy nanotech phone

Rob Moss
Thumb Up

Not all hype

From Nokia's FAQ on the phone...

Q. Are there currently any physical examples of the concept phones?

A. There are physical mock-ups available, as well as animations and concept designs that help explain what Cambridge University and Nokia are developing. There are also real examples of each individual concept and physical demonstrations are available. However, we are not yet ready to integrate them into one device. That will take a few years.

Rhys Jones 'killer' named on YouTube

Rob Moss
Flame

Redaction

What on earth has redaction got to do with a weasel? It has three differing meanings:

1: to put in writing : frame

2: to select or adapt (as by obscuring or removing sensitive information) for publication or release; broadly : edit

3: to obscure or remove (text) from a document prior to publication or release

I don't think that's the wrong word to use here, do you? And... weasels come into it how?

Plan for 20mph urban speed-cam zones touted

Rob Moss

He wants to make it even worse!

It's bad enough without fewer people dying on the roads. Do away with speed limits everywhere, that's what I say, sort out the pension crisis in a few short months.

US trade body knocks up disk drive, PC vendors

Rob Moss
Jobs Horns

A permanent decease and desist order?

That's a bit strong isn't it? I mean, cease and desist, fair enough. But decease and desist? Stop infringing our patent and die while you're at it?

And just how do you kill a hard drive manufacturer? My money's on a really huge magnet but I guess we'll just have to see what the court decide.

Bloke buys supercar 'without proper consent from the wife'

Rob Moss

"Definitions"

0-60 in up to 4 seconds

0-100mph in 7sec

0-200mph in 30sec

Standing quarter in 13sec, trap speed of 110mph

Standing mile trap speed of 200mph

Top speed at least 200mph

That's what wikipedia says, Mr Orlowski!

My personal take on things is that you've got to be noticeably faster than the fastest drug dealer car or bog-standard sports car on the market, so the Skyline GTR and any Porsche 911 at the moment I guess.

And stop going on about the Bugatti Veyron, it's old news and it's comparitively slow now, the Ultimate Aero TT is what it's all about these days...

Rob Moss
Joke

The car

This thing is definitely real, it's quite frequently parked outside Scan, I park near there when I go watching Bolton lose. I guess the real story is... he wants to sell it so he can buy a bigger, faster penis extension and he fancied tagging a funny comment on the end. Fair enough. And I bet he's a high-ranking employee and he won't have to pay a penny to sell it on there, so why donate money to Autotrader?

Chav-hunting toffs cop some flack

Rob Moss

I saw it

I heard about this on Radio 5 when I went to get my lunch. I watched it and thought it was brilliant! And now it's been pulled. How pathetic. I was going to show all my friends, we all think chavs should be hunted.

Fujitsu fetes world's slimmest waterproof mobile

Rob Moss

Waterproof?

My dad used to have an Ericsson R320S. He once took it swimming with him. Not a problem for it. He then decided to sit in a hot jacuzzi for 45 minutes. It did take on some water, it did stop working, there were waves in the screen. But one replacement battery later and a week sat on the kitchen worktop drying out and it was working absolutely fine.

Anyone wanna do the test with this? I'll bet it doesn't live through it, it looks flimsy.

MoD boffins in Cornwall GPS-jamming trials

Rob Moss

6 nautical miles...

...is 11.112km. So aircraft within the area specified by the Beeb could in theory be affected. Of course, it doesn't take an aeroplane a very long time to fly 6 nautical miles, but it is annoying when your aging radar starts trying to emulate a spirograph.