Posts by An0n C0w4rd 359 publicly visible posts • joined 24 Oct 2011
1) free (basic, i.e. not the EV ones that give the green flag on the address bar) are already available and honestly not that complicated to get (installation can still be a pain)
2) so far no-one seems to have solved the underlying trust issue (i.e. can we trust that the CA issued that cert to the entity you think you're connecting to), other than relying on dnssec, which isn't widespread enough yet to make a noticeable difference (RFC 6698). Even DANE is not without potential issues, since it can be used to make phishing sites look legitimate ( see https://www.imperialviolet.org/2011/06/16/dnssecchrome.html )
Unless my calculations are out:
743,000 x 4k read ops/sec = 2,972,000 kb/sec = a shave under 3GBytes/sec
160,000 x 4k write ops/sec = 640,000 kb/sec = 625 MBytes/sec write
Without pondering PCIe bus saturation problems (only using 4 lanes of PCIe so there should still be capacity, in theory) I've definitely seen applications that could chew through those throughputs, or make a pretty sizeable dent in them anyway. Netflix Open Connect comes to mind as one of the more obvious applications.
Plus, it's not just the IOPS you need to consider. It's the latency. Even if you can't hit the IOPS, if you reduce the latency of your application 5x or more, the cost could be justified in various situations where the read or write of that piece of data is a blocking action for something else, e.g. a database. If you have to hit the DB 20x to do one action, you just sped that action up tremendously.
There is little incentive to lay competing cable to reach consumers in the UK. The logical choice would be cable companies, but despite a large number of cable companies springing up in the UK during my lifetime, Sky drove most of them out of business, and the few that remained went to Virgin Media which hasn't really done much to invest in reaching more homes.
A large factor in that is the cost of laying cables, because that involves digging up streets to put in new ducting.
Perhaps separating ducting from the rest of the infrastructure would help so companies can rent/buy duct access to run their own cable if they wanted to, thereby providing true competition for the last mile instead of just letting OpenReach dictate what the UK should be offered.
“Sophisticated terrorists could even steer planes into one another”
Really? Guess the Senator has never heard of TCAS then. You could probably try to get Cessna 152 and 172s to collide (no more than 4 people on board each plane), however they go slow enough that VFR visual scanning would normally catch the collision. Every scheduled passenger flight has TCAS by FAA mandate (and CAA in the UK, etc) which prevents that exact situation from happening.
You'd stand a better chance of CFIT (Controlled Flight Into Terrain) because there ARE some weaknesses in the prevention systems there, but you'd have to be in IFR conditions with no visibility and find a suitably steep mountain that wouldn't trigger the "Too low, terrain" warning until it's too late, at least until the GPS based terrain warning systems are available and generally used.
@Bronek Kozicki
As far as I am aware, there is already legal precedence for the wiretap laws to be used for Internet traffic, and it doesn't have to be for SSL traffic, *all* IP traffic counts.
The trouble comes from the license agreement. As far as I understand it, enterprises can put fake SSL signing certs onto their computers so that they can intercept SSL connections at their IDS/IPS/filtering gateways so they can make sure that no malicious traffic is found because you likely agreed to it as part of the conditions of employment.
If Lenovo put that in the license agreement (that no-one ever reads) then they *may* have a get out of jail free card.
@Lallabalalla
In theory direct debits should be secure as the signature on the authorisation form should be compared to what is on record at the bank. In practice I suspect that was never done.
Also, as far as I know there are now 100% electronic direct debit instructions, so in theory yes, a DD could be made just on sort code, account number and the name of the account holder.
@Tubs
SSD manufacturers warn that FW upgrades MAY lose data, but only occasionally do they say a particular upgrade WILL lose data, and they tend to put big warnings around that.
I suspect the "MAY" comes from the fact it's difficult to prove a negative. You can't prove all SSDs in all systems will upgrade correctly without data loss, so the CYA option is to put the "we may wipe your drive" line in there.
@gerdesj
I'd be curious why RAID with SSD is "really hard"? I've seen people claim that identical SSDs in RAID are a bad idea as they tend to fail (i.e. write lifetime expire) around the same time, but beyond that I'm not sure what you mean.
Also ZFS works with SSDs as a L2ARC or ZIL without a SAN and while it'll never fit on a laptop in that configuration, it'll work quite happily in a desktop without a big SAN.
Quote: "On the privacy side, all of the 2014 models put out by car makers that responded to the survey collect some form of information from their customers, with 25 per cent storing it on the car and half transmitting it back to corporate servers, where it is kept for up to ten years in one case."
So if I am reading it correctly, all the 2014 models collect data, but 75% or less store it on the car and/or transmit it back to corporate servers. What do the rest do?
"37,000 European Arrest Warrants and 60,000 missing children and vulnerable adults" - shouldn't that be in a police database that we already have access to?
Likewise the identity document alert we should have had access to when it's checked with the country of issue (which I hope we do for all the time people stand waiting at the border for the border computer to process the document). if not, wtf are we waiting for?
quote article: questioning the official FBI narrative was “counterproductive,"
yes, because blindly trusting everything the government says works so well?
Oppressive regimes, say like North Korea, would LOVE it if people just blindly believed the government. Are the Feds really trying to say they're somehow better?
"Why did Microsoft ever think that two different cloud storage services with nearly the same name, but different clients, was a sensible idea?"
I guess you've never worked in marketing. Who cares what the technology is, must have a good name that people will recognise!
Which is, of course, why the marketing people will be first to be shot when the revolution comes.
The Americans will simply say "your airlines will share their PNR data or they won't be allowed over our airspace" and the EU will fall over itself to comply (again). I strongly suspect if you buy a ticket from a US airline (or on a US airline via a code share with an EU airline) your PNR data is already shared and there probably isn't much the EU can do there since you're dealing with a US entity, so it creates a situation where the US wins anyway - either the EU airlines share their PNR data, or they stop EU airlines flying to the USA and force people to buy tickets with airlines that DO comply.
I seem to remember the EU negotiated (allegedly) tougher set of restrictions on PNR sharing, and the US thanked the EU and then pointed out that nothing changed because of some get-out-clause, and in fact the "tougher" restrictions may have ended up being less restrictive as a result.
Some of the late 80's/early 90's legislation opened the doors to having more than one provider in an area, e.g. if Comcast was the incumbent cable company then someone else could come along and build out a cable network and compete with Comcast (or VZ, or Cox, or AT&T, or SBC, etc).
This, in theory, was a great idea
In practice it had major issues because while the FCC let it happen at a national level, it could fail at a local level (but not always)
A company I know of tried to get permission to build out a competing network in Baltimore, MD. Despite multiple submissions to the city leaders, the decision got repeatedly delayed. And delayed. And delayed more. They were never explicitly told "no" from what I understand, but they were never told "yes" either. Why? The Comcast head office at the time was literally *across the street* from the city offices.
End result? Baltimore never got competing services.
There are other stories I've heard too about local interference for petty political reasons, ultimately to the detriment of consumers. Such as the incumbent cableco in another area didn't have an obligation to provide service to the entire county, but when a competing provider applied to build out service they were told they had to run cable to every property in the county. Fair? Don't think so.
Light regulation only works when everyone plays nicely together and has equally big bank accounts. When one provider is significantly bigger than another, regulation is needed to stop the big guy squishing the little guy like a bug on a window of a high speed train.
The last mile providers think they own the eyeballs and that since there tends to be no effective local competition they can do what they like to protect the revenue/profit stream they've set up. They need to be shown the error of their ways.
it will make a difference to consumption when the govt (or energy company or national grid) decide you're using too much electricity at a peak demand time and turn your supply off the "manage grid load", of course since this is done in the National Interest(TM) you have no choice but to accept it and no recourse for compensation, etc.
It's the only way that this can play out which will make any significant difference to energy usage.
"Demand-side response involves electricity users shifting (or reducing) demand usually prompted by price"
the worrying thing is what the "unusual" methods are. I suspect "load shedding", in other words rolling blackouts to reduce grid load, probably using the smart meters to turn off your supply. possibly based on which tariff you are on (more expensive tariff = less likely to be turned off or something)
I'm sure the government will tout this as being green, but all that will happen is it will drive the sale of inefficient petrol, diesel or natural gas based generators to homes/business keep the lights on.
"Licence conditions allow suppliers to access monthly (or ‘less granular’ i.e. less frequent) consumption data for billing and other regulatory purposes without needing consent. There will be a clear opt-out for daily collection of data, and an opt-in will be required for use of the most detailed half-hourly consumption data"
How can a consumer prove one way or the other? if the meter reports hourly data no matter what, the provider can use that data and mask it behind something else.
If Stallman didn't write GCC, the probability is someone else would have written another open source compiler instead. I suspect an argument could be made that it would have been better done another way - for the last 20 years or so I've frequently run into bugs that turned out to be gcc bugs, not bugs in the code compiled by gcc. A compiler developed by someone else may have been able to do a better job if not shackled to someone going around with a hard disk platter on his head.
Right now there is still some public resentment about the NSA stories coming out post-Snowden. Wait a few months or maybe 1-2 years and then the Feds will be able to sneak anti-crypto legislation in without hitting the headlines.
The reason I say that is that it will give them enough time to invent some cases that prove that crypto that the Feds can't crack through a subpoena are causing people to be killed by kidnappers or causing children to be sold into prostitution (or whatever). The fact is right now the Feds cannot point out a SINGLE case where crypto prevented them from solving it, and the 3 cases Mr Comey (FBI Director) highlighted in a recent speech had nothing to do with crypto AT ALL ( see https://www.schneier.com/blog/archives/2014/10/more_crypto_war.html )
unfortunately, a large percentage of businesses still think that unless you park your bum on your seat in an office with all your co-workers then you're not working. I suspect the opposite is quite often true - you get more work done at home as co-workers aren't popping over to you to talk about yesterdays football/rugby/cricket/whatever.
I'm still in awe of Google, perhaps the biggest purveyor of cloudy infrastructure, insisting on staff being in an office (which is the primary reason I'll never work at Google or Facebook or a host of other companies - I refuse to move to a big metro area like London and sit in traffic for hours a day). If there was one company that should be promoting telecommuting it should be Google. (yes, I am aware of the "unplanned collaboration" idea). The fact that companies like Google are encouraging people to move to London, which is already creaking under the strain of the existing population, is just plain daft and they should be shot (or at least heavily fined) for encouraging that. Probably a new tax should be levied for each person a company encourages to move to London to pay for the infrastructure needed for that person (power, water, public transport, etc)
The reality is that better networking at home probably means Netflix/Amazon/Sky sell more PPV movies.
which always struck me as interesting - in the Amazon tablet advert, the punter calls up amazon support to ask how to play his movie on the big tv as he has some friends over. Was amazon just encouraging people to violate the public performance clause? seems to be a grey area to me.
I can't confirm if this is still the case, but cable companies in the USA used to have to carry the free-to-air broadcasts in the clear on the cable plant. No encryption, no compression, so that unmodified TVs without set top boxes could pick them up. You still needed to pay the cableco for the connection to their plant, but IN THEORY you didn't need extra kit to get those channels that you could have got with an aerial in the roof.
Of course the cableco's loved to hide this fact and push set top boxes and other stuff to you to bump up their MRC and make some money. And with channel bundles they probably made it so that you had to buy other stuff anyway. I'm honestly not sure what revenue the local free-OTA broadcasters saw from cable companies. I would tend to suspect that the cableco's pushed them to let them get the content for free and in return the broadcasters got more eyeballs for their ads and made their money that way, especially today with the mega-cablecos and their muscle.
With the push to digital broadcasting and HD content, the above may no longer be true as you can't stuff a HD channel in a 6MHz cable frequency band without compression.
That depends on the problem you are trying to solve
STARTTLS for MX records may not deliver perfect secrecy (or security), but it does provide a layer of protection. e.g. it stops someone from using Carnivore (or whatever it is called this week) to get the sender and recipient information, since the session is encrypted. PGP or S/MIME (the encryption option, not the signature option) cannot mask the envelope and headers, they have to be plain text, hence channel encryption becomes interesting.
Also, if you are doing Authenticated SMTP, STARTTLS should be required, not optional.
@Daggerchild
Netflix *is* paying for bandwidth. They pay their upstream to carry the data to an IXP, where it is handed off, most likely to the subscribers ISP.
The subscriber then pays the ISP to carry it to their location.
I fail to see where the problem is. Despite their claims to the contrary, the ISPs *are* being paid for carrying the traffic. I, as the consumer, pay my ISP to deliver the content I request. It is up to the ISP to charge enough to recover costs and to maintain/upgrade the network.
What is happening here is anti-competitive behaviour, pure and simple. The big carriers (Comcast, Cox, BT, whomever) figure they can get paid at both ends of the deal - by the content generators and the content consumers. Then they can simply squeeze everyone else out of the market because they don't have the clout to negotiate those deals, so the cost to the consumer will be higher. Most consumers only look at their MRC, so they'll move to the ISPs that are having their cake and eating it too.
Cable has problems because the incumbents in the USA built their cable plants to broadcast TV, with high numbers of subscribers per node. As Internet (and other services such as Video On Demand, Set Top Boxes that do more than just decode encrypted broadcast signals, telephones, etc) became more popular this showed a problem - you can go from DOCSIS 1 to DOCSIS 2 to whatever the latest is and push more bits per MHz, but unless you go from 500 subscribers per node to 100 subscribers per node (or less), you're going to run out of bandwidth. Increasing the number of nodes is difficult because you have to run a ton of new fibre, and then rebalance the plant (which is easier said than done - HFC networks are twitchy)
It's easier to blame Netflix than it is to fix the problem.
The number of subscribers per node (and therefore are sharing the same spectrum allocation for their upstream and downstream) is always the weak point for cable. You can throw all the bandwidth into the head end or hub site you like, but it won't help. DSL is has an easier time of it because you can more easily increase the backhaul.
The entire motive behind this isn't innovation, it's a push to race to the bottom on *perceived* costs to the end user, by moving the costs elsewhere and hiding them (by making other companies pay). I fail to see how creating an unequal market place fosters innovation. If Youtube or Flickr had to pay for access to ISP subscribers from day one they never would have got off the ground.
The US telco market used to have something called reciprocal compensation. It was brought in after the Ma Bell breakup because the telco terminating an inter-LATA call received no compensation from the billing agency (the long distance carrier) for using their network. The originating carrier was compensated by the user in the form of their subscription. (why the terminating carrier didn't count the revenue from their subscriber I have no idea. Clearly the money they were charging for their line rental was too low. It's the same B.S. the ISPs are pulling now).
This lasted until the CLECs came along and figured out they could put dial up modem pools behind their switches and suddenly they were receiving millions of dollars a year from the ILEC for terminating dial-up calls to ISPs. Some CLECs initially built their business model on receiving those revenues.
The minute the tide turned against them the ILECs started screaming that it was unfair.
Of course it was - they rule they fought for was suddenly being used against them. To be honest, it probably was unfair. However the ILECs built themselves a nice little empire with access to millions of subscribers that they thought they controlled and that they could milk for all they were worth, including basically demanding other carriers pay them to make calls to their subscribers.
I'm waiting for someone to do the same to these greedy ISPs (most of whom are legacy telco's - go figure) who demanding money for access to their customers.
@Vic
I think SATCOM ACARS was disabled, but the transceiver assembly remained powered. As best I understand it, Inmarsat sends the ping request and the assembly on the aircraft, independent of any other systems, answers. Unless they thought to pull the breaker for that subsystem it would always answer. It was probably not well known by anyone outside of Inmarsat before this incident.
There was an European flight (Helios Airways Flight 522) where the maintenance people on the ground left the pressurisation system on manual, and the co-pilot didn't notice during pre-flight checks so everyone on board asphyxiated.
The autopilot continued to climb until it reached the pre-programmed altitude, and then continued until it reached the destination beacon and circled waiting for new instructions
That was a Boeing 737. It's possible the 777 autopilot behaves differently, however I would suspect not
The way the autopilot works, in general, is that it only stops controlling the aircraft:
- if manually disconnected / turned off
- if it detects flight envelope information it considers unreliable and therefore it is unable to continue. In that case it tends to trip the master caution alarm so that people know what's happened, and that is a fairly major alarm. In the AF447 case, it couldn't reconcile the flight speed/altitude information from the sensors so it turned itself off.
Any other behaviour would lead to the possibility of the plane entering uncontrolled flight (where no-one is positively controlling the aircraft), which is to be avoided.
Anyone else watch the Channel 5 program on MH370?
I found it rather lacking in credibility for two points
- The plane in the AF447 crash was a "Boeing Airbus"?
- apparently you can take control of a plane by plugging into the USB port on the IFE. Which is impossible as there is an air gap between the IFE and the cockpit systems. Boeing tried to share a transmitter between the IFE and the cockpit systems on the 787 and got thoroughly spanked by the regulators and they had to separate the systems.
@Wzrd1
There are too many things against the emergency and pilots lost consciousness theory. The fact that the emergency happened between the handoff between Malaysian and Vietnamese ATC could be co-incidence. The plane then allegedly flew just under 30,000 feet along the northern border of Malaysia, which puts it in another zone which straddles ATC control zones - above 30k feet the rules are different (to pack more planes into the corridors), and by flying the border whomever was in control made sure that which ever controller saw the blip, they would likely assume the other side was handling it.
If the data above are proven true, then the emergency theory doesn't hold up - it looks way too much like whomever was in control didn't want to be found
Also, you missed one point - if there *was* a decompression event, the crew immediately get down to 10k feet or lower so they (and everyone else) can breathe. That didn't happen. If they couldn't descend, then they also couldn't reprogram the autopilot to take them back. An event that knocks out ACARS, the transponder, the voice radio, *and* all flight controls is unheard of and extremely unlikely. Even if the radios aren't redundant (which they are to a degree - there are at least two voice radio systems on a modern jet), the flight control systems *are* redundant
IMHO, the hijack theory is the one that makes sense given the currently available data. The questions that remain:
- who hijacked the plane - the flight crew or someone else?
- their motives
- why apparently leave a RADAR track going north from the Malacca Straits, and then apparently turn south towards Australia?
Uninterruptable telemetry is nearly impossible for a reason not mentioned so far - the system needs power. All the power drawn for the planes systems comes through the main power buses, and unless you do something insane (like hard wiring it into the planes power buses with no breakers), then there will be a way of stopping the transmission as all they need to do is pull the breaker.
Even if there is a small battery in the device to provide some power after power loss, e.g. both engines flaming out so the main buses go dead, this plane flew for *hours* afterwards, so the last "burst" saying "HELP! I'm over here!" would be thousands of miles out.
Also, if people send you an e-mail from non-gmail servers the MX record offers STARTTLS, and the certificate appears to be genuine, however:
- I suspect most mail servers don't try STARTTLS when delivering mail (at least in my experience)
- even those that do STARTTLS, most of those won't validate the certificate so MITM attacks are still very real
Also, unless you use PGP or S/MIME to encrypt the contents of the e-mail, it's still stored in plain text, so any intermediate SMTP operator can read your e-mail or it can be intercepted.
So being able to browse your mail over SSL is all well and good, but it's still not secure.
@vic
You're right, sorry, there are computer assists on the 777, but from memory there is a big button on the control column that overrides those computers. The Boeing mentality is that "computers can be mistaken, people should always be able to override them". So unless the hackers rewrote the proprietary control systems to disable that feature, there is no way to control the plane from the ground like that.
I don't buy the fire theory either. If the autopilot was reprogrammed to go back to the beacon of an airport, it would have just kept circling over the beacon waiting for more instructions, not head off on some random course.
Also, if there *was* a or some other event that caused the pilots to don their oxygen masks the first thing you do is descend rapidly to a point where you can breathe unassisted because the pilots know those masks don't last long and hypoxia will guarantee the death of everyone on board.
ACARS, the transponder and voice radio are all different systems. I find it difficult to explain why they were all knocked out
I also laugh at the front page of a British bird cage lining manufacturer which stated that the planes systems were hacked remotely. Uh. Sorry, but a 777s flight controls are not computer assisted (unlike Airbus) which means that explanation is about as likely as truth from a politician.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
