32 posts • joined 2 Oct 2012
Did a signup process for a financial institution recently. Authentication secrets in the post, all very secure. But then the letter with the random key arrives and says:
"you must enter your postcode in upper case with no spaces"
Err, perhaps somebody ought to introduce them to toupper() and isalnum() ? How hard can it be to write 3 lines of web form validation code instead of wasting the time of a million humans?
Just bought a Samsung 40HU6900 40 inch TV for work - I do a lot of CAD, so a big monitor is very handy. Post World Cup prices are plummeting - at release in early May it was £1000, now it's £639. We bought from John Lewis for £729 inc 5 year guarantee (we have a ton of first-generation 2560x1600 panels with faults where they overheat and fail: worth paying a bit extra to avoid early adopter risks like this)
It's a nice display - there are two main issues. One is the graphics cards haven't caught up: the TV has HDMI 2.0, but there's no hardware that outputs that. The alternative is DisplayPort 1.2, which uses a hack called multi-stream transport (MST) to pretend that it's two displays to the GPU. The Samsung doesn't have DisplayPort, so I'm on 3840x2160 30Hz at 4:2:x on my late 2013 Retina MacBook Pro 15". When a suitable HDMI 2.0 GPU comes out I'll use that on my Linux box. The chroma downsampling is slightly annoying, but it's OK. I'm not bothered by 30Hz as I don't game. This was about the only affordable 40" panel I found: the alternatives were a variety of 28" TN models, which I suspect are all the same panel inside. A 28" 16:9 UHD panel would have been worse than the 30" 16:10 2650x1600 panel I previously had, hence the reason to go for 40". It also has 4 HDMI inputs, while the previous only had 1x dual-link DVI so I had 3 monitors on my desk for different machines.
The other issue is that being a TV it's laden with crapware. What TF is 'football mode' and why TF would I want it? There's also tons of 'smart' (arse) features that I don't want, like on web browser and apps. However, by not connecting the TV to the internet most of these mercifully don't work. But more annoying is the 'picture improvement features' which just serve to mangle the picture. I think I've turned most of these off now - the worst was something called 'Motion Plus' that was a special 'blur all scrolling or typing' feature. The most important feature, being the 'Source' button on the remote control to select input, works OK - a few more clicks than the usual monitor button, but I'll survive.
The other useful feature would have been picture-in-picture, but that only works if one source is TV. It's also slightly reflective (less than my Mac, but more than its predecessor), and doesn't have an adjustable stand. If this annoys me sufficiently I may find another VESA-mount stand. Put it on the power monitor, depending on backlight brightness it takes a fairly constant 70-150W, dropping to 50W in 'where's my signal gone' and 450mW in standby. Poking about with other picture settings didn't change the power numbers.
So, in summary I'm about 80-90% happy. For the money it's a decent monitor, but be prepared to turn lots of stuff off to make it usable.
Re: "British Antarctic Survey"
Ah, appears the diversion via St John's is a research cruise to measure water circulation fluxes in the subpolar North Atlantic.
Here's our plucky adventurer from the James Clark Ross end of the telescope:
Re: "British Antarctic Survey"
Currently en route from St John's Newfoundland to Immingham then Freidrikshavn for waste disposal, refit and resupply. It's a bit nippy down south at the moment hence a good time to take out the trash, do some DIY and then do a big Tesco run.
Re: Proper version control
It wouldn't necessarily solve it, but it might help. The main issue is relying on a tool as both editor and version manager. If it screws up, you've lost your version history. That's an eggs-in-one-basket risk avoided by using an external tool.
If you have an external VCS you've at least got guaranteed access to everything in the history. Some of those might be corrupt, but there will be a known-good version. You can diff the last known-good against the first corrupt to see what changed. It may or may not be straightforward to port that change forward into the latest version.
Plus you can see what you're changing - if the editor decides to reduce the file size to zero bytes, diff will show you that before you commit.
The main headache being they don't always play nicely with binary files, but as mentioned there may be a plugin to support zipped files which would help in this case.
Proper version control
It does rather make the point that Proper Version Control (you know, those things with 3-letter names) would have no trouble here, as it's decoupled from the editor in question. I suspect it's probably not as good for diffs in Word etc, but you do at least have the history going back to commit #1.
Hard hardware is hard
There has been a resurgence in people building hardware. This is good.
However, a lot of it is quite simple stuff. I'm getting a bit tired of endless Arduino-style projects, involving an ATMega, a few bits and pieces wired to GPIOs, and a pile of C code. Sure, it's hardware, and sure there are plenty of gadgets out there that are like that (what does your smoke alarm do?) but how far can you go with this approach?
Are these startups building phones or laptops or servers or basestations or fancy RF things...? The hard engineering (20 layer PCB, 10GHz signalling, DDR3/4, PCIe gen 3) isn't happening outside large companies. The one place it is happening is China - the Shanzhai are making phones and tablets, which requires some decent engineering.
Maybe this is a function of commoditisation - BeagleBoards and Raspberry Pis already exist as components so we don't have to do that tedious work. But if you hit the limit of what's possible with them, you have a very steep wall to climb.
So IoT is the latest buzzword. Maybe you can do all of that with an Arduino. But if the volume's there it's almost certain that someone can do it cheaper and lower power with an ASIC - and which of these startups is doing ASICs? And if the volume isn't there, is there enough revenue to make it worthwhile except for niche products?
Someone recently said 'heavy semi[conductor development] is like steel and railroads' - in other words, needs lots of investment of money and time. Board-level stuff is less, but to do anything complex still ain't cheap or easy.
A moral of the tale
If you're a big webby company, scale up your password reset system just as you scale the rest of the site. Don't host it on a 486 in the basement, because when things like this happen...
On the question of salt, they could store each old hash with its own salt and checking the new password by hashing it with each salt in turn and seeing if it matches. That would be more work, but no less secure than individually salted hashes. The password database would be larger, but the old hashes would be purely for elimination - compromising one would only reveal a deactivated password.
It's a rather curious approach though - what's the threat model from re-using old passwords? (I note Google prevents that too). It would only make sense in an enforced changing regime (when it prevents swapping between 'passwordA' and 'passwordB' every month - but can't detect 'password201405')
It seems to me that the audiophile 'industry' is a bit like the whisk(e)y industry. We solved the problem of turning grain into alcohol a long time ago - the purity of industrial distillate is pretty good these days. But pure alcohol isn't what people want. It's all about the impurities - all those peaty, smoky, earthy notes, botanicals, colourants, whatever. The more impurities it's managed to acquire the better. That's why it's left sitting around pickling bits of tree for a very long time.
I wonder whether it's the same for 'audiophiles' - actually they like small amounts of distortion and it doesn't 'sound right' if they aren't there.
The good news is this is easy to game - just add a DSP which introduces the 'right' distortion, sell it for $5000, profit.
Which, incidentally, doesn't seem far off what 'Beats Audio' does today.
Eight Gigs And Constantly Swapping
We need a new editor to keep up with Moore's Law in the 21st century, as EMACS has clearly fallen behind.
So they took a bog standard £500 laptop and put in it:
An Intel Atom (why Android x86? Did they get CPUs on BOGOF from Intel or something?). Equivalent ARM SoC would be say $20.
2GB RAM: $15
16GB flash: $15
Battery 19Wh: $30
A dock connector: $5
And want to charge £900 for the privilege?
Re: 400 Mhz?
Since I haven't seen this anywhere, here's /proc/cpuinfo (I finally managed to start telnetd and get in, using ethernet):
Poky 9.0.2 (Yocto Project 1.4 Reference Distro) 1.4.2 clanton
/ # uname -a
Linux clanton 3.8.7-yocto-standard #1 Tue Oct 1 00:07:32 IST 2013 i586 GNU/Linux
/ # cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 5
model : 9
model name : 05/09
stepping : 0
cpu MHz : 399.076
cache size : 0 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : yes
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 7
wp : yes
flags : fpu vme pse tsc msr pae cx8 apic pge pbe nx smep
bogomips : 798.15
clflush size : 32
cache_alignment : 32
address sizes : 32 bits physical, 32 bits virtual power management:
It even ships with the f00f_bug! Welcome to 1997 all over again!
Re: 400 Mhz?
Also as an application processor there is no software ecosystem. There's tons of x86 Linux distros out there, but it won't run any of them (without yet-to-be-done hackery). Yocto is just getting off the ground as an embedded system platform, but it's not a 'hacker' OS like Debian or even OpenWRT, it's more an 'appliance' OS - make a change, rebuild all the packages, run the regression tests, signoff by management, ship firmware v22.214.171.124 to the factory. You aren't really intended to ssh in and run emacs to change things.
They provide the Arduino ecosystem but it's no good as a microcontroller.
So I'm yet to work out what it /is/ good for.
Re: Lost the plot
NUC is advertised for 'digital signage' - which is fine if you have a mains plug, but no good if you need to integrate into an existing setup (which only has 12V for example).
PC motherboards are fine except they aren't small. I can't easily slip one inside my product as you could with a Pi-sized thing. The other problem many of these boards have is connector placing: I can't mount one on a spare bit of back panel to make the ethernet available, because I need to make space for the ruddy VGA connector to stick out, and the back panel needs to be 170mm tall to accommodate an ITX motherboard (mounted vertically as the rest of the case is used for something else). These boards are also not thin having big heatsinks and airflow requirements.
Re: All the Arduino IO is connected by a single I2C port
You might have been discussing the speed of generic I2C in an ideal world, but the rest of us were discussing the speed of the GPIO that's provided on the Arduino headers on this board. As far as Arduino-land is concerned it's just GPIO, it shouldn't matter how it's wired internally. Except a flat-out rate of 230Hz (that's 2ms per transition) rules out a lot of things where you need to drive any kind of protocol via the GPIO as it's way too slow. (In my case I'd want to use it for being a JTAG master, which wants KHz or MHz and has no hardware acceleration in common microcontrollers).
Re: All the Arduino IO is connected by a single I2C port
I/O timing is here:
Essentially, I/O mediated via I2C can go at 230Hz (not KHz or MHz) maximum. The 2 pins that don't go via I2C can go just under 3MHz (it's unclear the jitter on this).
SPI and PCIe are all very well, but the whole point of the Arduino footprint is access to raw GPIOs to wire to things. PCIe is very awkward to deal with unless you can build a gigahertz PCB (not straightforward) and an FPGA to receive it. SPI is potentially useful but needs extra chips to break out into GPIOs. All of these have increased latency over a simple GPIO.
Lost the plot
I received one of these on Monday. My previous experience was with trying to use a first-generation Intel NUC in an embedded application, which lead me to conclude that Intel doesn't really understand embedded (it needs a 19V power supply, WTF?). Let's see if Galileo is different.
Unboxing with Galileo, there's the board, a power supply, and a booklet of disclaimers in umpteen languages. No instructions at all.
OK, go off to the website to read the quick start guide. Set up the Arduino software, it tells me to update the firmware. But my board has newer firmware than is available in the download bundle, fail.
Right, try the LED blink demo, that works.
Now, I want this as a Linux box, so lets see if we can get Linux up. Write an SD card as per the instructions. Put it in and power up. Nothing happens. No serial output, no LED flash.
Of course there's no display so I can't see if it's booting. Reading the instructions, boot messages and EFI menus go to the serial port. Which is not the USB port I'm attached with, but the weird 3.5mm jack. For which no cable was supplied. The instructions helpfully say you need to make a serial cable. But most computers don't have serial ports any more. 3.3V serial to USB dongles are common now, and I have one available. But the jack socket is RS232 levels, which it won't do. So I need to make a 3.5mm to DB9 adaptor, and then have a full RS232 to USB adaptor so I can plug it into a computer.
To even see the boot messages.
After all this palaver (ie some minutes), the LED is flashing, so something must be happening. But I don't have ethernet handy (I'm at work, getting stuff on the network is time consuming, laptop has no ethernet port), so I have no other means of interacting with it. /dev/ttyGS0 is the Arduino programming USB serial provided over a USB Gadget driver, which is fine except ttyGS0 doesn't work until the board has booted - and you can't enable a terminal on ttyGS0 without having the board booted and already logged into it. Normal Arduino boards have a USB-serial converter onboard which solves all these problems - not this one.
The SD card is the kernel and a .ext3 file on a FAT partition, so I can't even try traditional mount-the-SD-on-a-PC tricks. (Well I could loopback mount the .ext3 but this is getting awkward)
Plus the distro is weird (Yocto). It doesn't run vanilla distros like Debian, so I can't just image an SD card and go. (Actually someone has almost managed that, but it doesn't like libpthread for some reason, and images aren't yet available). Yocto looks OK for deploying embedded Linux in a commercial environment, but rebuilding your distro from scratch isn't something you want to do when casually hacking.
Of course, none of this is mentioned in the quickstart guide - and there's only a fairly sparse forum to fall back to.
Hardware-wise, there are two full-speed I/O pins, the rest are via I2C. That's hopeless for bitbanging any kind of protocol. It's actually a Linux box running an 'Arduino environment' as the only process. A worse idea I couldn't imagine. Why did they think Arduino was a sensible environment to target?
And the Quark chip runs finger-burningly hot.
I'd really love a small, cheap, Intel board with either GPIO or USB (it's to be a JTAG server for some third-party JTAG tools that's only built for x86). But I'm wondering whether to cut my losses at this point as they clearly have no idea. Maybe someone will do a Raspbian for it and solve all the problems - until then it'll live in the ever-growing pile of abandoned dev boards.
My school was an anti-Acorn school. They had RMs and then Macs. When they had a big throw-out of hardware (RM 186s and 386s, smashed Mac Pluses) I saved them from the skip. I think there were some 380Z/480Zs, but those went before my time.
The RM Nimbus 186 was not a pretty design - ribbon cable buses for expansion cards. I spent quite a while trying to port ELKS (Linux for 8086) to it - eventually gave up because I couldn't find any documentation on the wierd Nimbus hardware. Even salvaging most of the RM software when they cleared it out was no help - I have Autosketch and Windows 1.03 but nothing particularly useful - and they wouldn't run most DOS software. Most software ran in the BBC BASIC emulator. I tried for a while to find their network OS for Z-Net (their peer-to-peer serial network) - I think it was Microsoft Networks (long before MSN as an online service). Never found anything useful. How hard it was to find anything before the internet age.
The RM 386sx16 was OK - at least it ran Windows 3.1. My high point was running Linux, X and Netscape in 4MB of RAM. 30 pin SIMMs were a pain though.
I still have an RM Pentium 75 - ran a floppy Linux distro as a router until a couple of years ago. I didn't touch the hard drive which still has their Window Box software - how to make Windows 95 unusable.
I think there's a pattern here - RM took theoretically decent hardware and worked out how to make it almost useless...
Re: Are you feeling lucky, punk?
Once MS get over imposing this artificial cliff, there's plenty of more nuanced options they could take.
For example, charge a subscription for updates. Maybe there could be two tiers of subscription - the gold 'we support everything in XP' and the bronze 'we reserve the right to disable functionality if it's too much of a pain to secure' .
Also impose further conditions, like not being able to activate new XP licenses or transfer old ones. So it will die with the hardware. Though I haven't thought through all the second-order effects (prices of secondhand XP machines will rise, maybe a blackmarket in XP transfers).
The biggest headache is those XP machines that will stop receiving updates and become zombie fodder, because nobody is paying attention to them. I can't think of a solution for that case - short of the last update formatting the hard drive and setting fire to the network card.
Are you feeling lucky, punk?
So we have a face off: Microsoft v half a billion people.
MS are turning off support for XP simply because they want people to pay up for a new version. There is no other reason, it's not an edict from God or a Security Council resolution They'll still be fixing the security holes for their 'special' clients. It's purely a commercial decision not to provide them to everyone else.
MS might find that people aren't prepared to go along with their plans, and will carry on using XP. Being interesting to see who yields first. My money is on MS. Easier to fix Microsoft than fix half a billion PCs.
Auction not as described
Time to claim on the PayPal buyer protection?
May I just point out...
Facebook works in Lynx. Or the mobile version does anyway. Surprisingly well in fact - I actually use it for real that way sometimes.
In law, anything made available [i]is[/i] published. In the old days you'd see an advert in the back of the local paper "Secrets of Reincarnation. Send 29p to PO Box blah, London N1 blah". It doesn't matter that you got back a handwritten badly-photocopied sheet, that's a publication. Same goes for something on a random website. Doesn't matter that three people have asked for it, it's 'made available to the public'.
If it's password protected, that's not a publication. It's not made available to the public, it's made available to your Aunty Joan only. Same goes for an internal document. It may be a memo from Bills Gates to a hundred thousand minions, but it's not made available to the public and thus is not a publication.
A grey area is hidden links. I can put a private document on my website and tell only you the URL. That's not a public document. But if your email is hacked and the URL is leaked so that crawlers pick it up, arguably that becomes a publication.
Re: So many issues I hardly know where to start...
The question I want to know is the one I keep asking about clouds. So, you've given me 1TB of cloud data instead of local storage. How do you propose I get my data into this cloud, on my (fast for UK) 2Mbit domestic upload bandwidth? I make that to be 46 days nonstop at full throttle - not accounting that I'm probably limited to a few tens of GB per month.
And I couldn't even make 3G behave itself in *central London* today - uploading my files at tens of KB/s - don't make me laugh.
It would make a nice Linux machine, except for the braindead lack of storage.
Chromebook Pixel developer info:
Read Bill Richardson on Google+: plenty of info there
1. You put it in developer mode and can then boot stock Linux distros - Ubuntu and Mint have been mentioned as working just fine. There's a 30 second delay each boot while it advertises it's in developer mode, but sounds like it wasn't too complex to set up.
2. SSD is a single SanDisk chip soldered to the board (looks like a BGA). The LTE slot is USB2 only, so no mSATA in that. There's no other orifices in which to put an SSD. Board pic:
4. Looks like the SD socket is full depth
Clouds are a bit like banks. When they burst, everyone wants to withdraw at the same time. And then you realise it isn't actually possible to withdraw all your money/data at the same time as everyone else. In the case of clouds it actually costs them more than normal for their links to be hammered 24/7, so even if you're prepared to wait, getting your data out is more costly than just keeping going. Maybe there should be a clause in the contracts that triggers extra keepalive payments when insolvency is declared.
On second thoughts, there's always the bulldozer method to retrieving your data...
I'm feeling your pain - trying to spec out a work laptop that I want to be basically a netbook but with a decent screen and battery life, and ability to run the one x86-only Linux app that I use all day. The trouble with Clover Trial machines is they're only 32 bit (hello, we've had x86-64 for, what, almost 10 years now?) and thus only take 2GB RAM (the same limit as back in 2008).
Currently looking at the Samsung Ativ PC Pro 700 - it's 11" 1920x1080, Core i5, same digitiser as the Galaxy Note 10.1 (ie decent for handwriting), with detachable keyboard (inc extra battery), 64 or 128GB SSD. It has 3G/maybe LTE (essential to get work done on the move - none of this 'please enter your inside leg measurement for wifi access' or 'welcome to 12 minutes free wifi, $15/hour thereafter, please buy in the airport business centre on the arrivals level' - bit tricky when I'm sitting at the gate and my plane is delayed *again*)
Downsides: it's only got 4GB and that's non-expandable (maybe virtual memory will suffice for my app that regularly takes 8GB just to sit there idle). Battery life is unclear ('up to' 8 hours).
Biggest downside is it runs Windows 8. Looks like Ubuntu will run OK, but I haven't found a touch WM that plays nicely when it's in tablet mode (KDE's Plasma Active looks interesting but seems just wierd).
And it's £1000 (but I'm not paying).
Re: Hello Mr Bayes
That doesn't matter for pattern matching. Humans can recognise written signatures whatever they're written on, however they're scaled, even if slightly mis-shapen. It's the relative movements that count. And it's a numbers game - even if only 1% matches succeed that's still a win.
Hello Mr Bayes
If apps like Swype can work out what I'm trying to type by a few inaccurate slidey movements on a touchscreen, an attacker sure as hell can. It's just an application of stats, and not very complex stats at that.
I've thought of at least one way this is a piece of fail.
So, the virus scanner spots that my site example.uk is full of malware (according to itself). They de-activate the domain. So what happens to all the emails flying around my company, or between me and Nominet, which are addresses @example.uk? Nominet don't run my DNS, so they can't turn off A www.example.uk but keep MX example.uk. They can spoof my domain, but then DNSSEC will trip them up. They can do the DNS on their own authority, but it will trip up anything that expects my DNS to be signed by me. And even if they proxy DNS to my servers so that MX example.uk still works, what if everyone in the company uses http://www.example.uk/webmail for mail instead?
So such a domain cannot be a primary domain for a company, because the chance of having your email go down is just too big a risk. Which means it will only be a vanity thing - ie just another tax the marketing department has to pay.
- HALF A BILLION TERRORISTS: WhatsApp encrypts ALL its worldwide jabber
- HUMAN DNA 'will be FOUND ON MOON' – rocking boffin Brian Cox
- Bang! You're dead. Who gets your email, iTunes and Facebook?
- YOU are the threat: True confessions of real-life sysadmins
- Blackpool hotel 'fines' couple £100 for crap TripAdvisor review