* Posts by tnovelli

852 posts • joined 4 Feb 2011

Page:

Trump's taxing problem: The end of 'affordable' iPhones

tnovelli

Unless the US becomes a manufacturing hub on a vast scale

That's "make America great again" in a nutshell.

We have millions of highly talented American people (and legal immigrants) just scraping by in part-time shit jobs until manufacturing comes back. And plenty of people, with money and experience, trying to (re)start manufacturing businesses to fill the void of quality affordable products. The only things stopping them are the massive useless bureaucracy and the flood of cheap shit imported from Asia.

1
0

Retiring IETF veteran warns: Stop adding so many damn protocols

tnovelli

Hmmmm....

With every protocol & format having multiple stamps of standards compliance these days, I guess we have to raise our standards for standards. "Standard" is no longer enough. One must sift through the hype and bullshit to figure out what everyone will do in reality.

0
0
tnovelli

Re: Yeah but no but yeah but

There wouldn't be *any* IP encapsulation options if IPv6 replaced IPv4 back in the 90s as intended. But IPv6 itself has some design flaws. One might call it... bloated.

3
0
tnovelli

Re: We're already there

Well.... >90% of /etc/services have been there for 20+ years, and are totally obsolete.

1
0

Apple, Mozilla kill API to deplete W3C battery-snitching standard

tnovelli
Coat

Re: Apple and Mozilla are leading the charge away

Common sense? This is a start, but they're still working on stuff like FlyWeb. Read that link and weep.

2
0
tnovelli

> They will come up with what seem like good ideas, even great ideas that make things better for everybody

Journeyman developer mistakes. By age 30 or so, hopefully they've started thinking "ain't gonna need it, ain't nobody gonna use it, gonna be a maintenance headache, security hole, DoS vector... and frankly we're never gonna finish this damn project unless we do some ruthless feature cutting". Unfortunately the industry is full of 20-somethings.

Hacking courses (or labs) would be helpful for those following the university path. When I was in engineering school we did some (mostly legal) hacking during free time. The course on engineering disasters was good preparation as well. But I'm not hopeful about education - most of the competent programmers I know don't have any, and I can count the ones with CS degrees on one hand.

2
0

Tech support scammers use denial of service bug to hang victims

tnovelli
FAIL

HTML5 History API strikes again!

What's NOT wrong with it?

0
0

Build your own IMSI slurping, phone-stalking Stingray-lite box – using bog-standard Wi-Fi

tnovelli

Re: Don't want to be tracked?

> There's also the whole play of location services which use WiFi to be more accurate - somewhere there must be a feedback loop there as well.

Ah, that. I suspect that Google maps WiFi APs by collecting 'telemetry' from Android phones with WiFi and GPS both enabled. Some years ago they got busted for doing that with their Streetview cars, but their wifi location services are accurate even in neighborhoods never mapped by Streetview, so it's probably phones now.

I guess most people have already learned to turn off GPS and WiFi to avoid wasting battery on being tracked. And the rest won't be swayed this latest news, unfortunately.

0
0
tnovelli

Re: Don't want to be tracked?

I would think so. I use my phone as little as humanly possible, especially when I have access to a proper computer. The last time I used mobile data was to look up the electric company's phone number when the power went out.

1
0

Run a JSON file through multiple parsers and you'll get different results every time

tnovelli

Re: Ok, so I actually read Seriot's blog

Well, he could've just ranted that everything is crap, but he had to tear apart JSON and Unicode in order to be taken seriously. Yep, he's a Unicode hater too. This guy rocks.

> And btw, he's perfectly welcome to go consistently choosing whichever openly complex, overspecified technologies he fancies

But instead he chose JSON, which is none of those things. *cough cough*

0
1
tnovelli

Re: Python Results

Nonetheless, they show the need for a single, complete specification.

0
1
tnovelli

Re: Ok, so I actually read Seriot's blog

So far he's only tested for obvious weaknesses in many different languages/implementations, not for all possible weaknesses. He listed several possibilities at the end.

But what he's really trying to say is,

As a final word, I keep on wondering why "fragile" formats such as HTML, CSS and JSON, or "dangerous" languages such as PHP or JavaScript became so immensely popular. This is probably because they are easy to start with by tweaking contents in a texts editor, because of too liberal parsers or interpreters, and seemingly simple specifications. But sometimes, simple specifications just mean hidden complexity.

1
0
tnovelli
Holmes

Re: JS drives JSON use

Yeah... JSON is a disappointment. Web developers jumped on it because it was (and still is) the only widely-supported alternative to XML with its serious complexity/consistency/security problems. Among my circles we started using JSON in production about 3 years ago. Once exposed to the real world, the bugs began to bite almost immediately. It didn't work out. I still use JSON for AJAX stuff but not much else.

I think we've only seen the tip of the JSON iceberg. Buggy and inconsistent implementations, error-prone quoting & escaping, the frequent need to embed JSON in other error-prone web markup formats (and vice versa), and the general sloppiness of web code.... it's a meltdown just waiting to happen... though probably not before IoT DDoSageddon.

String quoting/markup is the fundamental flaw here. The Unix philosophy (text only) led us down the wrong track. Binary data serialization is much simpler.

3
1
tnovelli

The PHP JSON parser is crap too. I've caught it red-handed.

0
0

HTML 5.1 signed off

tnovelli

> Also it includes Adobe Flash for your compatibility needs.

Not far from the truth!

0
0
tnovelli

I was expecting this to be called HTML6, with HTML7 due out by year's end, ultimately achieving version parity with Chrome and Firefox within 3 years.

0
0

Arch Linux: In a world of polish, DIY never felt so good

tnovelli

Re: Negativity central!

Agreed. I've actually dabbled with rolling my own a few times in the past; it was a bad idea then, hopeless now. Assuming you want to run other people's software, you need a ton of bloatware & dependencies. It's just a matter of figuring out what packages/versions/patches you need and how to compile & configure them, just like Debian/Fedora/Arch maintainers do. If you want to do anything different you'll be swimming upstream, only to end up with yet another bloated, unusable, unknown Linux distro.

0
0
tnovelli

Re: Nice distro, but..

If Ubuntu is a microwave dinner, Mint is chinese takeout, and Arch takes all afternoon to prepare but doesn't necessarily come out great... what's the OS equivalent of simple fresh vegetables and a barely cooked choice steak?

6
0

Search engine results increasingly poisoned with malicious links

tnovelli

Re: NoScript and AdBlock+

uMatrix and uBlock Origin nowadays

The former to block 3rd party content (not just scripts) on a site-by-site basis. The latter because ABP lets Google & pals pay them to be whitelisted.

0
0
tnovelli

Re: 1337 alerts?

haha. I noticed that too. $CR1P+ K1DD13Z R3J01C3!!!

> how many times as many web pages are there in 2016 vs 2013?

A) define "web pages" - URIs serving useless crap don't really count

B) probably less; everyone's moving to apps, right? ;)

0
1

So long Vine, your six seconds of internet fame are over

tnovelli

> Companies who invent branded nouns and verbs for "posting shit on the internet" deserve to fail.

Even the ones with honest plain English names, like shitposter.club?

0
0

Researchers expose Mirai vuln that could be used to hack back against botnet

tnovelli

Re: Digital equivalent

Not even burglars. More like shooting 10-year-olds for being noisy and cutting across your lawn (and being too cheap & lazy to put up a fence.)

0
5

New MacBook Pro beckons fanbois to become strip pokers

tnovelli

Re: Esc

> I have to admit that in the <mumbles, counts on fingers> 9 years of Macbook Pro ownership I've never really used the Fn keys except for dimming the screen or adjusting the volume..

Well, in all my decades of Linux and Windows, I've never really had to mouse-click on mysterious shiny widgets.

2
0
tnovelli
Joke

Re: Esc

The hivemind has found a solution!

https://www.reddit.com/r/funny/comments/59klj4/new_macbook_pro_accessory_only_6999/

...though you can get a mechanical keyboard for less...

0
0

Three LibTIFF bugs found, only two patched

tnovelli
Facepalm

Re: YIKES

Oh. Out of these 3 bugs, it's the unpatched one that's enabled by the default build options, and readily remotely exploitable. Nice touch.

</sarcasm> GOOD NEWS: looks like it was fixed Tuesday (in CVS) and those fixes showed up at https://github.com/vadz/libtiff today. FWIW; probably needs more work.

1
0
tnovelli
Mushroom

YIKES

Indeed. I'm digging a little deeper... good info & links in the article, but it doesn't quite convey the existential horror of the situation.

http://libtiff.org/ - LAST UPDATED IN 2007

http://www.remotesensing.org/libtiff/ - looks like libtiff got kicked off

http://www.simplesystems.org/libtiff/ and http://libtiff.maptools.org/ - CURRENT, but the latest release is 4.0.6 (dated 2015-09-12), with info needed to access the CVS source code repository (https://github.com/vadz/libtiff as mentioned in the article) which contains many unreleased patches.

So, all the information needed to exploit these vulns is available, but no updates. Debian's libtiff5 package hasn't been patched since January.

And it's a dependency of.... EVERYTHING. ImageMagick, GD, PHP, Python's PIL, GIMP, Tracker, WINE, Links2 browser, SDL 1 and 2, SANE... and much much more. One does not simply uninstall LibTIFF....

2
0
tnovelli

Yep... TIFF is just a container format that supports dozens of compression methods, including the ones used for FAX. Still (probably) the highest compression for monochrome images in a widely supported format. I've used it heavily for B&W maps and engineering drawings when size/bandwidth was more important than image quality.

Or to look at it another way, dozens of obscure serialization algorithms full of potential vulns. LibTIFF is a lot like ImageMagick in that regard.

4
0

Self-driving cars doomed to be bullied by pedestrians

tnovelli

Standards, lol. Wouldn't that be nice.

0
0
tnovelli

Re: Yes, it IS a game of chicken.

Yeah... Laws of Robotics could never work in reality. The robots and their programmers will never face serious personal consequences for screwing up. No jail, court costs, insurance hikes, public shaming, embarrassment, or remorse.

0
0
tnovelli

Re: meek cars and commuting

I've actually had my car attacked by a deer once, while doing 40mph. Biggest buck I've ever seen. I went around him but he still got my driver's side mirror.

This raises another question: will these cars stop for dogs? cats? squirrels? Where exactly do you draw the line?

I know, I know: you don't. You throw in the towel on this moronic techno-utopian wet dream.

13
4

Patch AGAIN: OpenSSL security fixes now need their own security fixes

tnovelli
Coffee/keyboard

Re: Burn it to the ground and start over

The entire SSL protocol is a hack. It was doomed from the moment Netscape threw it together at the last minute before the initial release of their browser for marketing reasons ("secure e-commerce"). The developers didn't expect anyone to actually use this crap.

0
0

EU announces common corporate tax plan

tnovelli
Flame

Re: EU Competencies

> When they have done this, what are the odds they then want to keep raising taxes so they have more for their pet projects?

A heavy-handed federal government that keeps raising taxes, while member states do the same.... sounds like the good old EUSA. There's your answer.

2
0

Good luck securing 'things' when users assume 'stuff just works'

tnovelli

Re: "Thoughtful security by design would go a long way."

This is true. Any solution that doesn't appeal to the masses is a failure. FOSS is a hard requirement, but it still has to be 'marketable'.

"No more passwords" would be a huge selling point.

I think storage is the place to start. Imagine a 'cloud storage' system that's actually secure and fully controllable by the user. Client-side key-based encryption. Key-based sharing / group access too. Clean, simple protocols. Servers only handle storage & retrieval of encrypted blobs, having just enough metadata for compartmentalization, just granular enough for efficient access & replication. Backends for existing storage options. Filesystem drivers, web APIs, etc, for compatibility with existing applications.

Make it easy for idiots to encrypt & backup their data. Kill off the proprietary cloud services. Once people get used to key-based access, extend it to everything and kill off passwords.

3
0

Adobe emits emergency patch for Flash hole malware is exploiting right this minute

tnovelli

Re: HTML5 aint all roses for all people

Also, "This latest exploit will only further underscore the arguments from the security community to get rid of the bug-prone Flash Player in favor of the newer, more secure HTML5 standard for multimedia web content."

Spoiler alert: HTML5 isn't secure either; browsers are the new Flash. It's total crap, and the only reason we use it is because it's ubiquitous. Like Flash was.

Flash was actually a better approach - a portable virtual machine for multimedia/interactive stuff. If only it had been properly architected, implemented, and maintained; and open source.

2
0

Possible reprieve for the venerable A-10 Warthog

tnovelli

Re: A10 has a unique role doesn't it?

F-35 ($130 m, airframe only, engines an "optional" extra).

Won't be needing those until they sort out the avionics and such. Could be a few decades.

1
0
tnovelli

Re: Pint due.

To paraphrase, "If it's politician season, why can't we shoot them?" :D

With the 30mm cannon, the rocket pods, or the Mavericks? :D

2
0
tnovelli

Re: Pint due.

Uglier things have been spotted in the sky, but not by reliable witnesses

Few have seen the elusive Airbus Beluga...

I wouldn't even call the A-10 ugly. In person it's an impressive sight. It's a distinctive aircraft, up there with the SR-71, F-104, B-2, Concorde...

35
0

Exit through the Gift Shop? US copyright chief was assigned to shop till, tweeting

tnovelli

Re: Congress relies on the Register’s expert advice

I'm pretty sure they've even been known to read the comments here.

0
0

Murder in the Library of Congress

tnovelli

Re: Can't live with 'em

I don't know how, or if, the pharmaceutical industry can solve its problems. My point is, considering that patents are just another unwelcome legal/regulatory burden for many (most?) industries, even with high R&D costs, it's hard to believe they're a silver bullet for yours. Is it possible you'd be better off without them?

0
0
tnovelli

Re: Can't live with 'em

> Do you realise it can cost around £1.2bn or more to bring a new drug to market ?

Yes. If nobody can afford the drug because you want 100k per patient (and you've milked the health insurance system dry) the economics are broken, with or without patent protection. You will never get prices like that for frontline antibiotics. You need to slash expenses and reverse your massive decline in productivity, or get out of the business and leave it to someone who can.

I've heard stories from big pharma... lavish spending, pipe dreams, gross mismanagement. Sounds as bad as Silicon Valley, if not worse.

3
0
tnovelli

Re: Can't live with 'em

That pretty much sums up my feelings about copyright (although I think Patents are completely unnecessary now).

2
1

Existing security standards are fine for IoT gizmos in electrical grids

tnovelli
Coat

Re: I'll start writing the disaster movie script now...

> Get it off the Internet. Use your own network, if you must.

That's not enough. If they can't have airtight security (hint: they can't) the only correct answer is not to do this shit at all.

If they insist on build a smart grid, I'm going off-grid.

1
1
tnovelli
Facepalm

This!

This is how we get to that future where a run-of-the-mill DDoS causes the collapse of civilization.

5
0

Chinese electronics biz recalls webcams at heart of botnet DDoS woes

tnovelli

Right on. Without kids tinkering with OSes on their Rasperry PIs there won't be a next generation of developers to implement said standards. The end result will be the same: "this will continue on and on until there is no internet left."

1
0

Dyn dinged by DDoS: US DNS firm gives web a bad hair day

tnovelli
Black Helicopters

Re: It's back

Interestingly the 'conservative' sites I visit haven't had any issues. It is the 'liberal' media that appears to be down.

Here's a very liberal site that wasn't down; they were talking about the DDoS in the comments: http://www.nakedcapitalism.com/2016/10/200pm-water-cooler-10212016.html

Hmmm, they were spared because they're too liberal for Hillary? lolz.

1
0

Facebook is writing a Mercurial server in Rust. This is not a drill

tnovelli

Re: They stole my idea

So, uh, what are you complaining about? Does it stop you from doing anything you'd actually want to do? Is it possible to turn off the checks if you want to do some quick prototyping?

0
0

DNS devastation: Top websites whacked offline as Dyn dies again

tnovelli

Beatings will continue until morale improves

Great. We'll put Doctor Syntax in charge of vetting routers for the ISPs. If this happens again, we'll put him in jail. ;)

Seriously, there's no point in punishing people for systemic problems dating back 25-50 years. Nobody's blameless, everyone's in over their head. The system in question is literally the sum total of every living software project that grew from a working prototype to a big ball of mud. BBOM^N.

2
0
tnovelli

Re: ENOUGH!

Yeah. Law enforcement cannot stop this. "Cyberwar" counterattacks won't work either.

"Draconian self-policing" (throttling/disconnecting infected downstream users) won't work against botnets whose DDoS traffic is effectively indistinguishable from legitimate traffic. End users won't disconnect infected devices that appear to be functioning normally. Government "cybersecurity" regulations will be misguided and ineffectual. Nothing will be done until the internet is unusable.

What can be done is, 1) Cutting back on unnecessary technology, integration, services, features, etc. 2) Keys instead of passwords. 3) Standard binary data formats that are less susceptible to serialization attacks than oddball/proprietary formats and the "web soup" of text formats embedded in one another. 4) Not just open source, but simple and understandable open systems all the way down to the transistor level.

3
1
tnovelli
Mushroom

IOT FTW

This isn't quite the glorious IOT armageddon that's been prophesied, but current trends will gets us there in no time. It's already throttling Twitter and a bunch of 3rd-party web widgets. Excellent.

Looking forward to The Day After -->

2
0

Despite best efforts, fewer and fewer women are working in tech

tnovelli

Next generation

I wouldn't be surprised if the trend reverses itself in 10-20 years. Anecdotally, young kids these days seem to have dropped the stigma against girls (in particular) doing nerdy stuff. If that trend survives adolescence, we should see more entering the workforce with genuine self-taught tech skills, with or without CS degrees.

0
0

Page:

Forums