Oh don't mind that. It's just a temp folder for gwx
1346 posts • joined 7 May 2012
Oh don't mind that. It's just a temp folder for gwx
Perhaps they could have a quick chat to the good folk at nbn. They seem to have found a way to make lots of promised fibre disappear.
For those who missed the joke
Now I'm not a fan of the NoSQL fad, but Mongo worked exactly how all NoSQL databases work by design. They trade off transaction isolation for performance. Or put another way, why do you think that these things can be faster than a traditional rdbms? It's defined by the very overheads it can disregard. It is a terrific compromise for certain types of problem but people really need to stop using it for problems requiring ACID.
As for "write your software with the above race condition in mind", that's kind of backwards advice. If you write your own locking or serialisation, I will promise you here and now that it won't be as efficient as the rdbms that you are trying to avoid in the first place.
> Total traffic on the internet this year is going to surpass the one zettabyte mark
And that's just GWX doing its thing on all those folk who thought that they had hidden the update.
Android 6 permissions model works differently. You don't grant any permissions* until the app tries to use that feature (basically the same as iOS). You can also retrospectively revoke permissions even on legacy apps (which may cause them to crash, but my personal experience is that most of my apps survived the denial of things that are not functionally related to the app's purpose)
* admittedly that's Google's version of any, meaning it can still do network etc.
> Bet you a pint they just added another da?
Nope, changed all the a's to @.
> If anyone manages to break into or steal the database, all they have is hashes, from which it will be very hard to reverse engineer the password itself.
Before throwing stones here, a consumer grade GPU can compute 18 billion (yes with a B) sha1 hashes per second. Most English dictionaries have between 80 and 500 thousand words for some perspective. Or the hash of every possible 5 character password within a second. Very hard should always be understood in context of available number crunching capabilities.
But yes, there is a good chance that the passwords were not hashed enough times with sufficient salt.
It is also a really dumb password and was reused at multiple sites.
> Just because all beer is made from hops, water, yeast and barley does not mean all beers are the same!!!
Certain American versions seem to contain exceptional quantities of the second. Other Aussie brands mix them so terribly that they have to export them cause they're is no way WE'D actually drink that crap.
> I guess centimetres and the like vary from country to country??
Would that be African or European centimetres?
The fact that it "used something that is basically Java" needs to be broken down a bit because that indeed contributed to the success. The important part of the "basically Java" from a skill transfer perspective is that the API is the same. For example, if you are looking at the String class, a newcomer won't care whether the substring method is the same or different internally, just that the method name, overloads, parameter names and types are the same. It's this API that would have fair use defence, so by that argument, the popularity is based on something that'd qualify for fair use.
Google play is a red herring. You don't have to pay Google anything to sell an android app unless you want them to host it in play. You can alternatively side load it or push it via other android stores by the likes of Amazon, Samsung. It is a hosting, supposed vetting, indexing and processing fee, not a licence fee.
I see this as a bit of a pox on both their houses. Oracle has every right to assert ownership of the *implementation* of the methods that they write and choose to licence it however they wish. I agree with the author on that point; that it equally protects copyleft code. But they cannot copyright the API itself, that is, Google can use the interfaces, structures, data classes, method signatures necessary to deliver the functionality specified by the API but must write their own implementation of those or licence it appropriately.
Oracle are being a bit tricky by omission. If they were being honest about it they would asset Google's right to the interface "code" and reiterate that their complaint is about the implementation code only. But I suspect that would drop the lines of code violation quite handsomely if they don't count those. If I was in oracle's line of business with some other global 3 letter megacorp that could claim ownership on a rather significant API and would therefore be making that distinction at every opportunity.
Google are being tricky here by pretending that some of the items weren't copied. Notwithstanding that for trivial methods, the same code can quite easily be independently written and that with the advent of refactoring tools that just renaming variables to make it look different might only take a few seconds, it certainly looks suspicious to me.
Oracle are also asking for what seems to me to be a non proportionate share of revenue here. I work with two pieces of business software weighing in at give or take 3 million+ and 500 thousand+ LOC, and that is nowhere near the complexity of a modern operating system. It's got me thinking about the status of snippets provided on stack overflow too. I can well imagine a number of methods that are heavily inspired by answers in similar forums. 11 thousand, whilst significant, is likely to include many fair use elements and even o methods that Oracle may find that someone else invented.
Certainly not the quantity of emails that could be called a database. Do their systems not have safeguards to bounce if too many addresses are in the To or Cc fields?
For how long will Samsung provide security patches for it?
How long will Samsung guarantee to keep any services alive that are required for it to function?
The next version of gwx will be renamed to taskkill.exe. It will have some optional switches though, like /F(orce) and /IM(mediately).
> Except maybe systemd
I see your systemd and raise you a svchost!
> At a discount I would have thought
Good idea. It might be hard to work out just how big a discount is needed though. Too little and they won't sell. Too much and they won't make as much as they could have. I have an idea. Perhaps they could just offer to sell it to whomever offers the highest amount?
Yes. By all means require/hold that number. Just stop tricking yourself into believing that knowledge of it somehow authenticates the holder of that information.
It's kind of like your date of birth. It's a data point about someone but it is unchangeable and hardly secret.
Additionally, licence numbers are almost certainly vulnerable to enumeration attacks. Something amiss with a licence number should be a red flag to investigate a bit deeper. No more. No less.
It feels really weird to be standing up for the RTA or whatever they call themselves these days, but it seems to me that fingers are pointed towards the wrong people.
There are two numbers, a licence number and a card number. The card number changes each time that a new card is issued, so can be in effect "cancelled". Why are credit agencies etc using the licence number if they are a target for identity thrives? There are many reasons why someone needs to share that ID. Just try signing up for any service, setting up any account, superannuation fund, insurance, loan, school enrolment for your kids or whatever without having to provide it to be photocopied.
* Yes I'm aware how Ponce is pronounced
If not for the rampant, er telemetry, and gwx, it's actually quite nice. I would even be recommending it save for the frankly frightening way they are behaving here.
It reminds me of a dog chasing a car. What does it actually think it will achieve by upgrading my media centre PC to a version that doesn't support media centre?
If the upgrade had three buttons
Not sure, ask me later; and
No, don't ask again
We would be praising them.
> Unknown to Michaud, at the time he's accused of viewing the material, the server was already under the control of the Feds.
Shirley that sentence is getting pretty close to libel. I'm making no assumptions about whether he is guilty or innocent here, but one would expect the whole point of the defence argument was that he never accessed that site. If that is true (presumption of innocence and all that) then it would make no more sense than pointing out that Chirgwin did not know at the time that Michaud is accused of viewing...
The point here is that "we have secret evidence that proves his guilt, trust us" doesn't cut it. Perhaps with the opportunity to review and contest the evidence, an innocent man could be spared from unjust punishment, or perhaps it proves guilt beyond reasonable doubt.
Actually, I think they are using Grass, Leaves, Or Nutrition for Donkeys; or GLONASS for short.
There you go folks. Straight from the
horse's donkey's mouth
> If it needs to work in case of power loss it should be driven by a bunch of cylinders with compressed air
Yeah, it's not a PV array. The tower already contains thousands of L of superheated stream because, you know, it's kinda how the whole contraption actually works. Pretty sure they can figure out a way of converting some of that energy.
A spring loaded (or even gravity dropped) shutter could cut the power entirely within seconds for relatively little cost. Both could be passively activated.
Surely a far simpler solution would be to lower the shutters over the mirrors. I should patent the idea. Except it is probably what they actually did. I know, on a mobile device ....
> I'd almost forgotten just how amazingly fast a rocket can actually go
Particularly those that have just seen an Australian spider.
If they can already figure out the part of the problem that I thought was intractable (freedom fighter or terrorist), surely they can do better than to just shut down access? Why not just replace all the download links with GWX.exe? That'll stop people searching for it.
Firstly, a MitM scenario is what we call "the norm". It is highly unlikely that you have a direct connection from your computer to the server. There are most likely a dozen networks that get traversed. It is not some afterthought that the guys behind HTTPS didn't consider
Being a MitM allows you to 1. Observe and 2. Manipulate any bytes traversing that link. For HTTP, that means that pages can be manipulated and any credentials can be easily obtained. Some popular IT news websites even fail to use HTTPS in their comments if you can imagine that. Equally, mixed HTTPS via a HTTP page is not safe.(eg).
But HTTPS is different. The design of HTTPS is that your browser demands the site prove that it owns a certificate by signing a random challenge issued by the client. The server gives it's public key which can be used to decrypt the response and reveal the original challenge, the certificate is signed by a trusted authority, which hopefully means some diligence was done that the issuer. Without getting a hold of the private key of a CA, or otherwise convincing them that your certificate should be signed, you will either have an invalid signature or a CA that your browser has never heard of. In both cases, your browser will make it known to you that it isn't satisfied.
The theory works, setting aside whether the CAs are trustworthy. The problems are in the implementations. The Apple GOTO fail bug was basically a failure to validate the signature on the certificate. POODLE works by interfering with the negotiations about what algorithms the client and server have in common, and basically tricking them into communicating using a very weak key. That is easily mitigated by either the client or server having a somewhat recent security patch applied.
Sslstrip works by tricking the client into using plain old HTTP while it works as a proxy, talking using HTTPS to the website (HTTPS validates the website identity, not the client identity, and you just gave your credentials to a proxy which is now emulating you.) It's not magical. It is also not going to get past hsts so I seriously doubt a modern browser is going to leak Gmail over HTTP.
It's not a mountain different to current techniques like int.TryParse() returning both the success and the value if it was successful or dictionary.TryGetValue returning both whether the object exists in the dictionary and the object itself when it does.
On more than one occasion I have created a class that inherits tuple and named item 1 and 2 via getter methods and named constructor parameters. It works nicely but can be very verbose.
> Obviously, YMMV but LINQ, the TPL, async/await, yield return (etc.) all make the older alternatives look awkward.)
Perhaps, but it can also hide a bunch of inefficient loops (thinking linq).
I saw the following line a month back
Var myshashset = new hashset<int>();
// Put some numbers in it
if (myhashset.Any(a => a == 5))
Put a million numbers into your hashset if you want to know why that is such a bad idea.
Another one I saw was two consecutive aggregate functions, which I had to point out to the author that they were iterating their whole dataset twice.
The others though are brilliant.
Secondary impacts do cause a lot of injury but the rolling up and over motion also means that the pedestrian isn't absorbing as much of the momentum, lessening the injury. Affixing them will result in much more momentum.
Let's just hope that senator ICanMakeYouWearRedUnderpantsOnYourHead starts getting a hint about the potential mission creep behind metadata retention laws he previously supported.
It works in a computer game dice roll scenario but not a security scenario. Your possible seed values is minutely small because I have a high probability of guessing your clock time to "within seconds". The default system timer on windows has a resolution approximating 10ms (actually closer to 16ms but 10 makes my math easier). That leaves only 100 possible seed values per second. That is easily brute forced.
Explain how one decides the random order of those bits?
> A new solar water heating installation costs about £3,000 to £5,000.
That number is either way out of date or exaggerated due to your local geographical, regulatory and supply considerations. Here in Australia you can get 300L systems from AU$3500 installed before rebates, so that drops to around 2.5K retail. Payback vs 27c/kWh is much quicker than in your scenario.
Your process is admirable, but not in the realm of technical capability of Aunt Kath. Remember the comment thread you are replying to basically says that about 3% of disks will fail without any malicious ransomware, so it is hard to have sympathy for those without backups. That's why I think of who the victims are. The average El Reg commentard is too super DevOps skilled to fall for the phishing schemes that deploy this ransomware. But our Aunt Kath will go right ahead. So the people most at risk of infection would have no clue what rsync or hard links mean and the concept of incremental backups isn't even on their radar.
... Ransomware can also permeate into backup media. Some of these things sit there for weeks or months silently encrypting and decrypting on the fly. This may be enough on some cases for all backups to be equally rooted.
> Renewable energy is pretty much dead in the water as any competent electrical engineer can calculate for you. It doesn't work now and it never will
A brave prediction sir.
Hydro has been with us for a long time. You can make many complaints about its environmental impact and the good sites are already taken, but there is no escaping that it works. It is usually a lot cheaper than coal or nuclear and can be classified as baseload. Also as mentioned in the article, it has by orders of magnitude the fastest cold boot times of any current baseload.
I can completely understand that solar has a somewhat limited benefit in the UK but in other parts of the world we even get sun from time to time.
The price of solar has dropped by orders of magnitude over the past decade. That trend is only going one way. The question longer term isn't whether some baseline can be replaced but rather how much is needed to maintain reliability. With pumped storage as illustrated here, that number can go much further north. Remember that solar doesn't require ongoing fuel costs so there will be a running cost advantage. Once those graphs cross over, it will be nigh impossible to get funding for new projects.
Another important point is that not all demand is inelastic. We just haven't had the levers to discourage behaviour in real time until recently. Whilst lighting, cooking, air con or heating and of course warm beverages are a given, much industrial uses like smelters can be paid to partially shutdown for peak periods.
Time of use "smart meters" are a longer term demand management opportunity. Each EV has a battery pack between about 10 and 60 kWh which again in a longer term can handle fluctuations.
Whilst it isn't all going to change tomorrow, the writing is on the wall.
> I notice that the article doesn't say how long it can maintain that sort of output
Being in Wales, I suspect that there is a not insubstantial free top up of the top reservoir every other day.
But his solution would just suck.
- ah yes, that's where I left my coat.
Did the crime rate increase or did the reported crime rate increase.
Because I am quite confident that knowing the whole thing is on camera, when an overreach inevitably occurs, the appropriate investigation occurs*. I wonder out loud whether in the old days the junior gets taken aside for a quiet word about not being allowed to tase someone just cause they made some snide comment under their breath now gets officially recognised as a crime.
*not counting the well publicised exceptions that led to various riots.
It depends on the manufacturer and network. My Nexus 5 (2014) running 6.01 got its May security patches this morning. Buying a device with vanilla android was my priority.
If your hypothesis is right* then someone at a vulture desk will owe MS an apology for the title of this article. It would in that case be Asus causes some of its motherboards to crash** after faulty UEFI implementation.
* I have nothing to add on that point.
** Brick is the wrong verb here.
I too, would send one of Winkypop's kidneys for fttp.
> What needs to happen is browsers need to start a connection to a server with only TLS 1.5 (assume a time traveler with from 2020), then when that fails, drop back to 1.4 and so on until it can talk
Sorry Tim. That can't work. Or more specifically, it can't prevent a downgrade attack.
Alice sends Bob a TLS 1.5 handshake.
Trudy intercepts that handshake and responds to Alice with a wtf response. Alice can't yet verify that this isn't actually from Bob.
Alice then tries with 1.4. Trudy responds the same way.
And so on....
Eventually Alice tries the only-just-better-than-ROT13 version thinking Bob can't do anything better. Trudy lets it through and can then observe or fiddle with the stream.
So independent researchers discover and report to the government a vulnerability allowing it to be patched rather than exploited. Instead of a thank you, they get the book thrown at them.
Do pray tell, what exactly do you think that the next researcher will do if they discover a vulnerability? Certainly they wouldn't setup some hidden tor service where for some infinitesimal small portion of bitcoin you can load credit on the card, making a wad of cash whilst the authorities pay big bucks to try to reverse engineer the hack.
Security research can be a murky area. By not selling their exploits on the underground marketplaces, they are already giving up a lot of money. Sometimes they will overstep the mark even if their intentions are good. I make no judgement about whether they overstepped here, but the government needs to catch half a clue here, figure out what they are trying to achieve and determine whether their decision to prosecute advances that goal.
Upon sober reflection, they should realise they have scored a spectacular goal, just for the wrong team
> However, there’s no direct information in the spec sheets to say drives are warrantied for data written. In fact, terms such as “designed for” are used more often, so where do we stand with the warranty?
In Australia, it's actually pretty simple.
Companies can include or exclude whatever they want; it doesn't reduce makes no your rights under consumer law. Unless that writes/year is clearly stipulated in the box, visible before you make the purchase, they can't enforce it (won't stop them trying of course). They don't even provide an easy way to measure how much has been written, so it would be difficult to say the least for them to enforce even if they suspected you were "naughty".
It's doubling of powers though. Just going from 8 to 9 would increase it by 36 fold. Not sure what I'm missing here but there should be about 2.8 trillion combinations of 8 character lower alpha + digit
= (26 + 10) ^ 8
Just going to 9 characters gives you 101 quadrillion possibilities, which grabbing my not really Bill Gates hat ought to be enough for anyone.
I don't follow what they are running out of because these are already big numbers. . My suspicion is that they are concatenating more info into those identifiers (first x characters means y, etc) but that's just a guess.