* Posts by Flocke Kroes

2646 posts • joined 19 Oct 2007

Is EU right to expand 'right to be forgotten' to Google.com?

Flocke Kroes Silver badge

Re: Please start thinking

So Google deletes all references to RaumKraut on their servers. Their spider finds the offensive web page with your name in it again, and because all instructions to the contrary have been deleted, it puts an entry in Google's index linking your name to the web page you do not like. Next time someone searches for RaumKraut, that page is top of the list - unless of course you do something even more silly that gets linked to from more sites.

By all means, insist that Google maintain a list of accurate web pages about you that you do not want others to find from your name, but how about using democracy to decide whether such results should be be listed:

All those who think the 'right to be forgotten laws' are a good idea, point your browser's search box at google.eu

Everyone else use google.com or duckduckgo.com or baidu, bing, ¡Yahoo!, AOL, ask, wow, webcrawler, infospace, blekko, contenko, dogpile, alhea, ...

If democracy is not for you, then lets put google's expensively maintained list to wider use: Google should be required to publish the list of names with associated embarrassing links so all the other search engines can rectify their results too.

Flocke Kroes Silver badge

Please start thinking

The offensive material is not on a website controlled or owned by Google. They cannot delete it. What they are required to do is not show links to particular web pages when someone in the EU does a web search for a particular name. For that to work, Google have to maintain a list of names with URLs of the most embarrassing web pages for each name.

It could be worse. Imagine if you had to provide proof of identity and written proof that the embarrassing web page really refers you and not some other Raumkraut...

Flocke Kroes Silver badge

Where the browser is ...

So I secure shell into some remote machine and start a browser. ssh forwards a connection to my local X server so the remote browser appears on my local display. Anyone would think these laws are being made up and interpreted by people who are clueless about technology.

Whatever the government does, sane people wish they would do it to someone else. If Google wish to protest about vague and nonsensical restrictions and requirements imposed on them, they have to find some legal way to do it. Obeying the restrictions to the letter in a way that is contrary to to your interpretation is legal and creates a (partially misinformed) backlash against the people creating the restrictions. The Streisand effect shows how unpopular all forms of censorship are. If Google meekly complies with government censorship then people will pick a different search engine.

It is remotely possible that Google's protest will result in clearer and more even handed laws. A quick look at our tax laws show it is far more possible that we can get rid of our cars and ride home on unicorns.

If a politician does not like what someone says about him on a website, he can have Winston Smith rectify the article itself. There is no need to require one search engine provider to fund a bureaucracy that vets search result hiding demands.

Top Apple exec: 'I knew [ebook] prices were going to go up – hell, the whole world knew'

Flocke Kroes Silver badge

Evidence please

If Cue wants to accuse publishers, that is fine - if he provides sufficient evidence for a conviction. Without that, he shouldn't complain that Apple was u̲̲n̲̲f̲̲a̲̲i̲̲r̲̲l̲̲y̲̲ singled out. Nothing prevented Apple from going to authors directly and offering a deal that is fair to authors and customers, like Baen or they could have tried something really innovative like unglue.it.

Orion: To Mars, the Moon and beyond... but first, a test flight through Van Allen belt

Flocke Kroes Silver badge

The reason Orion was nearly scrapped ...

... the uncompetitive price.

Privately funded space programs were going to achieve the same goals, and could be bought for far less than the anticipated cost of Orion - even without government funding for Orion's R&D and the inevitable cost overruns.

Buying those votes caused the budget axe to fall elsewhere in the space program, just like the ISS chomps through funding that could be spent on more interesting space missions.

One year on, Windows 8.1 hits milestone, nudges past XP

Flocke Kroes Silver badge

Real argument backed by some actual facts

I do not like Microsoft's licenses.

With GPL & BSD I can install all the software I want on any number of computers for free. I can move software from one computer to another without having to ask permission or having to buy another license. If I want the software to work differently, I have the source code. If someone has not already made the change I want, I can change it myself or hire any competent programmer to make the change. I do not have to beg a monopoly to make the change and accept whatever price the choose to charge for it along with any other 'improvements' they decide to bundle with it. My data is in documented standards compliant formats implemented royalty free by multiple suppliers.

I know Microsoft despises the GPL and would rather juggle porcupines than release software under that license. They keep telling me that BSD is 'business friendly', so when they release Windows with a BSD license I will take a look at it.

systemd row ends with Debian getting forked

Flocke Kroes Silver badge

Where is the off switch?

When making changes, the first thing to do is make an off switch. Set the default position to off, and check that the off switch works. After that, no matter how badly you screw up, people can always get their kit working again by using the off switch.

Network manager configures devices by name, which is a problem because the name depends on which device was attached first. Network manager requires devices run a DHCP server, which is not always possible and is certainly not desirable because the device would need to know which network it is connecting to before it can connect to the network. Network manager detects correctly configured interfaces and messes with them. Luckily network manager's documentation includes an off switch. The bad news is it doesn't work.

I kill network manager, instruct sysvinit to never restart it. I gave each device a unique MAC address, and used /etc/network/interfaces to configure devices based on MAC address. Now devices are correctly configured depending on which computer they are connected to. Fixed and working because of an off-switch... in sysvinit.

I have seen this problem before with KDE desktop search. I anticipate the problem, and configure nepomuk not to index video files, and not to index the disks full of video files. The system locks up because nepomuk has four maximum priority threads indexing the video files on the video disks. I use its off switch, but it doesn't work - next day nepomuk uses four maximum priority threads to index an SSD. The system is thrashes so badly that I have to use the power switch. I am greatly indebted to Dovydas and his instructions for killing Nepomuk with minimal swearing.

To be fair to systemd, it ended up on a machine with an old kernel that lacked features it required. I could not ssh in. Luckily the device has a keyboard, but I could not log in either. I had to pull the SDHC card, plug it into a different computer and chroot in to fix it.

Like KDE, if systemd is still around next decade, I will take another look at it.

Euro Parliament VOTES to BREAK UP GOOGLE. Er, OK then

Flocke Kroes Silver badge

I am a bit confused

Sometimes I use Google search, but I am not required to use their other services to get search results. Sometimes I use a different search engine, but that does not prevent me from using Google's other services. How are they bundled?

Musicians sue UK.gov over 'zero pay' copyright fix

Flocke Kroes Silver badge

Stop being reasonable - this has nothing to do with reason

I could by a DVD, or I could pay 'extra' (currently often £0) for a DVD with Ultraviolet. If I can legally rip my DVD's to my local NAS for free, there is no reason for paying extra for Ultraviolet, and a company whose service I will never want will disappear.

I am avoiding Ultraviolet because every view is a download that will quickly surpass my ISP's limits and will almost certainly get bumpy when other people are watching Ultraviolet. With no recurring income, Ultraviolet's servers will die from lack of budget, and I will get the choice of pay per view, or my investment in Ultraviolet evaporating.

Flocke Kroes Silver badge

IIRC: The UK does not have a blank media levy

Several other countries do have a blank media levy, along with arguments about who gets paid, how the money is distributed, and what to do about people creating their own content to store on their devices. The arguments are a big waste of time as the real beneficiaries are usually the people who administer the fund.

Flocke Kroes Silver badge

Please explain ...

Plan A: I buy a CD, illegally rip it to my mp3 player and listen to it through headphones. The RIAA could sue me to bankruptcy and pay the musicians only the royalty on the CD (minus expenses) because the contract does not include revenue from fines (which would be completely eaten by legal fees anyway). Instead, the RIAA don't sue me because of the public outrage it would cause.

Plan B: I buy a CD, legally rip it to my mp3 player and listen to it through headphones. The RIAA do not sue me because I have not broken UK law, even though UK law is not consistent with EU law.

Plan C: I buy a CD, legally rip it to my mp3 player and listen to it through headphones. The government gives a contribution to some revenue distribution company as required by EU law. The distribution company sits on the money until they have spent it all on administration.

How have musicians lost out because I ripped my CD to an mp3 player, listened to it on headphones and the govenment did not pay the compensation required by EU law?

I'll be back (and forward): Hollywood's time travel tribulations

Flocke Kroes Silver badge

A consistent sequence of events

Imagine a snooker table where anything that falls into the right pocket jumped out of the left pocket a little earlier. If you hit the white ball from one end of the table to the other, that could be all that happens. Another possibility is you hit the white ball, it jumped out of the left pocket, knocks its earlier self into the right pocket and continues down the length of the table. Next time, you hit the white ball, jump over to the left pocket ready to snatch the white ball as it jumps out, but it doesn't (If you succeed, your cat will jump onto the table and bat the younger ball into the right pocket). In each case the sequence of events is consistent.

Marty McFly can watch Emmett get shot by the Lybians, warn him in the past, get back a few minutes ago, watch Emmett get shot again and see him survive because he had a bullet proof vest. What he cannot do is see bully Biff getting his dad's dented car towed home, go back to 1955 and get George to stand up to Biff then return to 1985 and find Biff has been polishing Marty's car that Marty knew nothing about. That kind of adventure requires parallel universes - Marty(A)'s father got bumped by Sam Baines's car in 1985(A). Marty(A) goes to 1985(B) that is not his own past, does not change anything because in 1985(B), George gets pushed out of danger by a time traveller from a parallel universe. Later Marty(A) returns to 2015(B) where Biff polishes cars for a living. Marty(B) really wants to return to 2015(C) because 2015(A) is a horrible universe for the McFly family.

The snooker table resembles what happens on the quantum scale, but embiggened to the point where it is almost certainly fantasy. Parallel universes are a huge cop-out in an attempt to preserve the possibility of time travel despite the fact that no time travellers turned up to Stephen Hawking's party even though he sent them invitations after the event. Magically changing family photos, faxes and newspaper articles are plot devices used by writers of entertaining fiction because they know sticking to known physics would make a dull film.

Renewable energy 'simply won't work': Top Google engineers

Flocke Kroes Silver badge

@Eric Olson

Imagine how bad it would be if you tried going for hardly any to more than the rest of the world combined with wind turbines. Too late - the wreckage of that policy has already given us hefty electricity bills.

Flocke Kroes Silver badge

Re: On the bright side

That sounds like usual government policy. The last time we had conservatives in power, they decided to reduce cycling accidents by making cycling more dangerous. Decide for yourself whether this was to work by discouraging cyclists or killing them. A year later they decided they needed to do some greenwashing, so they promoted cycling as a way to reduce carbon emissions. I asked for more cycle paths, but they must have heard psychopaths because they reduced the capacity of mental institutions in favour of 'care in the community'.

Flocke Kroes Silver badge

The biggest killer per kWH generated is ...

... solar. (Incompetent installers fall of the roof.)

The obvious way to deal with those hippiespeople is to send them some DIY install solar panels.

Flocke Kroes Silver badge

Tiny heat:

A square meter orbiting the sun at the same distance as Earth gets 1.362 kW of solar radiation (source). The radius of the Earth is about 6300km, so the Earth gets 1.7x10¹⁷W. As the Earth is not heating up quickly, it must radiate heat into space at about the same rate. To make comparisons difficult, large amounts of power are given in TWHour/Year. 1.7x10¹⁷W = 1,500,000,000TWHour/Year.

You can find figures for world energy use here. In 2008, the world used 143,851TWHours, or about 0.01% of the energy that the Earth radiates into space every year.

While looking this up, I came across an interesting couple of numbers. On average, fossil fuel generators are 38% efficient. The most modern fossil fuel generators are 55% efficient. Upgrading old fossil fuel plants with modern equipment would get at extra 52376TWHour/Year of capacity without increasing carbon emissions (2008 figures). The total power output of renewables in 2008 was only 18,492TWHour/Year, so replacing all renewables projects with a fossil fuel upgrade program would have reduced carbon emissions.

SEX BEAST SEALS may be egging each other on to ATTACK PENGUINS

Flocke Kroes Silver badge

Re: Sealguins or Pengseals

If hybrids were named consistently like Tigons and Ligers then the offspring would be a Sealguin. A Pengseal would have a penguin father. At a brief glance, the names are not consistent for example the offspring of a male sheep and female goat is a geep. That could be an exception because shoat is another word for piglet.

I am not expecting sealguins to hatch any time soon because seals and penguins are not in the same class, let alone species. Despite a certain Elephant's best efforts, an Elerhino is not likely either.

VXers Shellshocking embedded BusyBox boxen

Flocke Kroes Silver badge

Bash + Busybox

Putting both on an embedded system would be surprising, but not difficult. Busybox is a single program containing cut down versions of commands you select from an extensive list that includes alternatives to bash. It can be static linked, which saves space when there are only one or two separate programs. Bash has lots of handy features that were added for people's convenience without worrying much about how much space they require.

Storage is so cheap that using bash + coreutils + the full version of anything in crammed into busybox + all the required shared libraries will still fit into a really cheap flash chip. Despite that, I found no copies of bash on any embedded system I use.

The ease of exploitation and the damage an embedded system can do make it worth checking to see if any use bash. If you find one, please speak up. Somewhere on this planet there must be at least one embedded system vulnerable to shellshock. A vPint to the fellow commentard who finds it.

UK PM Cameron says Internet must not 'be an ungoverned space'

Flocke Kroes Silver badge

Back in the days of SCO vs Linux ...

Penguinistas wanted SCO's website up and running so they could put links in debunking pages to prove SCO really were making ridiculous claims.

If David Cameron wants to create debunking pages at his own expense, then he is welcome to get on with it at his own expense. If, on the other hand, he wants people to hunt down certain websites and believe the contents, then banning is an excellent way to start.

Got a STRAP-ON? Remember to TAKE IT OFF at WORK

Flocke Kroes Silver badge

Try looking at the real world ...

Unfortunately, I am really good at breaking watches. My personal record is under an hour. After that event, I tried a new trick: looking at walls. Lots of rooms have clocks in - many of them even show a similar time. With a little practice, looking at a clock when you walk past it becomes automatic. The next trick is remembering what time you saw on a clock two minutes ago. Very few shops have clocks in (you might realise you are late and stop buying things). Lots of shops print the time on receipts. If you are feeling brave, you could try information point at a bus station. Judging by the BSODs, these run Windows, and judging by the time they give, they do not have an NTP client installed.

Anyway, all the problems associated with wearable tech can be fixed with a Google/Facebook/Twitter/Whatever wall mounted clock. Now that it is attached to the wall, it can be plugged in, and does not need batteries and recharging. Free/unsecured wifi is all over the place, so such a clock should always be able to show the right time. Add a camera, and Google/Facebook should be able to work out who is looking at it and display an inappropriate advert - especially if they did a web search for strap-ons as research for their weekend article.

Why solid-state disks are winning the argument

Flocke Kroes Silver badge

Like I said

Put the cat videos on a NAS spinning disk.

What is left is usually tiny. I keep seeing computers with ½TB drives that are least 90% empty space. Give it a year, and I will see more 1TB drives that are 95% empty. Perhaps you really do need to carry the complete Debian archive around with you (source code and binaries for 16 architectures is 1TB). That makes you unusual. Last time I looked at laptops, SSDs were not even an option. It would be nice to have the choice.

BTW - I bet half the reliability problems people experience from USB and SDHC cards comes from buying from a supermarket. The buyers there can get you a crate of fish with a good sell-by date and evidence that the fish have been stored and transported at the right temperature. The same people are less good at spotting the difference between real branded flash and flash made by the same people after hours with recycled half-capacity components and lying firmware. It is worth waiting a couple of days for delivery from a computing specialist - and cheaper.

Flocke Kroes Silver badge

SSDs became cheaper over a year ago

Put your DVD collection on mirrored spinning rust so any Pi in the house can deliver a film without you having to find the DVD, insert it into a player and wait through five minutes for unskippable adverts. Now that the bulk of your data is dealt with take a look at what is left: If found 36GB (mostly cruft) on my laptop. Choices:

Store's own brand 160GB 5400rpm drive for £23.99

Intel 40GB SSD for £24.98

Store's own brand gets me 124GB of wasted space. I thought 160GB spinning disks ceased manufacture years ago. If I am being optimistic, I would expect this drive has spent over a year gathering dust on a shelf. The pessimist in me thinks it is second hand, refurbished and then spent a year on the shelf gathering dust.

An extra £0.99 gets me 4GB of wasted space on an SSD. 40GB sounds sufficiently old that I would wonder about this being a second hand drive. I bet Intel would send a bus full of lawyers to any retailer trying to sell second hand Intel SSDs as new.

The cheapest spinning disk that a manufacturer would put his name on was £34.98 with 464GB of wasted space. I have a choice of 60+GB SSDs for less money leaving me plenty of space for a sack full of new kitten pictures.

Flocke Kroes Silver badge

SSD can increase power use of a laptop

The CPU spends less time waiting for the disk to spin and more time doing something useful.

Microsoft tells resellers to use Office 365 as loss leader

Flocke Kroes Silver badge

Re: loss leader ?

I thought they were asking resellers to work for less than nothing.

Shellshock over SMTP attacks mean you can now ignore your email

Flocke Kroes Silver badge

501 Syntactically invalid HELO argument(s)

Flocke Kroes Silver badge

Mutt gets so close that I decided to check

Mutt does almost everything by delegating the task to some other program selected in the ~/.muttrc file. For example, sending and email is controlled by a setting like this:

set sendmail=“/usr/sbin/sendmail -oem -oi”

man muttrc for the sendmail variable says:

"Mutt expects that the specified program interprets additional arguments as recipient addresses."

When you reply to an email, mutt creates a string by appending the recipient addresses to the sendmail variable, then getting the user's shell (probably bash) to interpret the result.

I tried changing the reply address in an email to things like $(hostname)@localhost and replying. Mutt kept sanitizing the reply address so bash never saw anything dangerous.

I had to hunt through muttrc's man page for about quarter of an hour before I found a way to get the reply address into a command line. Mutt lets you put all sorts of things into command lines, for example %h is replaced by the local hostname. The list of substitutions is different for each variable. I did not find any remotely generated strings available as substitutions in shell commands. Someone thought carefully about blocking advanced users so they cannot accidently reconfigure remote execution flaws into their mail reader.

I was surprised to find mutt was using bash. I expected it to use the 'system' function which calls /bin/sh which (on Debian systems) is a link to dash, not bash. It probably found bash in the SHELL environment variable, which defaults to bash on most Linux distributions.

Linux is covered in places where every detail can be reconfigured with a shell script. The mail system is often extremely flexible, with support for different delivery and transport agents, and multiple spam and virus checkers on incoming, outgoing and forwarded messages. I am not surprised that crackers are looking weaknesses here. There might even be one to exploit (on systems where a half-competent sysadmin has failed to do something clever).

Updating to a recent bash will block this exploit search, so if you haven't already, do it now.

Computer misuse: Brits could face LIFE IN PRISON for serious hacking offences

Flocke Kroes Silver badge

Corruptissima re publica plurimae leges

How many laws have we got already?

Back to the ... drawing board: 'Hoverboard' will disappoint Marty McFly wannabes

Flocke Kroes Silver badge

Saw this type of mag lev in action in 1985

Take a big coil of thick copper wire, plug it into the mains and drop it on a thick sheet of aluminium. The coil will hover and try to fall off the edge of the sheet. If you drill a hole in the sheet, the coil will hover over the hole because moving away takes it further from an edge. With two sheets, you can pretend your coil is a train, and the gap between the sheets is the track. Turn it off before the insulation on your copper wire melts. Afterwards, you can wonder why your train ticket, credit card and floppy disks (1985-style data storage device) don't work.

If you are going to try this on a copper plated surface, be sure to film it. The huge currents in a thin layer of copper will heat things up fast. What happens next depends on what you copper plated. You can get a nice bubbly effect by vaporising the resin in fibreglass. The bumps will break the copper into flakes, which will be scattered by the alternating magnetic field. Your expensive board will then drop onto the hot fibreglass resin.

Control circuits that keep the board level would have been difficult to fit on a board in 1985. Control circuits that keep the board from zooming off the edge of the conductor and the 7 minute battery life are impressive now.

Scientists skeptical of Lockheed Martin's truck-sized fusion reactor breakthrough boast

Flocke Kroes Silver badge

Patents

I think your right about this being a patent scam, but there are lots of things to patent. Pretend Lockheed get a pile of investors to fund a prototype-mini-tokamak-for-aircraft subsidiary. A decade from now, the subsidiary goes bankrupt, but in the mean time it has hire Lockheed to make all the parts needed for a fusion reactor (not just the tokamak), and Lockheed has got all that experience for free.

They will need big superconducting magnets, and the cryogenics to cool them.

The easiest fusion reaction is deuterium + tritium. Tritium has a half life of 8 days, so you have to make it yourself. The obvious way to make tritium is to use the neutron flux from a tokamak to break up lithium. A complete fusion reactor includes a lithium jacket and all the machinery required to separate tritium from lithium.

While we are at it, a fusion reactor creates helium, which you want to get out of the reactor before it cools things down. One of the many complicated bits of ITER is getting some of the fuel/helium mixture out, separating out the helium and pumping the fuel back in again.

Getting the fuel it is fun too. Freeze it solid and shoot in pellets of fuel with a gas gun.

Even if Lockheed has a magic tokamak design that fits on an aeroplane, all the extras needed to make it go would not fit on an aircraft carrier. Lockheed should not be comparing their device with ITER anyway. ITER is a huge steam factory to investigate the technology. The prototype for a commercial electricity generating reactor is the gigantic (fictional) DEMO.

Flocke Kroes Silver badge

Try hunting down that NASA quote

I did ages ago. It was something like "If it works, it would be great". No-one from NASA has said "It is not a scam", which leads me to ask: Why do the E-Cat guys need to publicise a miss-quote?

The E-Cat demonstration could be faked by any competent chemist. If there was a working prototype, it would be making money by itself without investors.

Of COURSE Stephen Elop's to blame for Nokia woes, says author

Flocke Kroes Silver badge

Pictures or it didn't happen

Where is the evidence for this "Nokia was is a death spiral before Elop" nonsense? Before Elop, Nokia had more more unit sales than Apple and Samsung combined. The picture for growth, revenue and profit is even more damning.

When Microsoft extended their (now broken) monopoly into a new market, they bought a major player in that market. They did not buy the market leader because that was to expensive. The second place player always had hopes of becoming first rate, so they were out too. A third rate company knows they are third rate and price accordingly. That has historically been Microsoft's choice. Elop set up his bonus to pay out when Nokia was sold to Microsoft. Sale to others (there were offers) would not have been in the Trojan's best interest.

I thought Elop sending Nokia all the way to tenth place instead of stopping at third was a sign of incompetence. Microsoft rewarded him anyway, so perhaps that was the plan all along.

How much is Microsoft earning from its Android taxes again?

Flocke Kroes Silver badge

Re: @Graham Marsden

Have you got evidence of a patent that was granted and applied for properly serving a useful purpose?

Flocke Kroes Silver badge

According to the patent lobby...

Hundreds of thousands of free software developers are reading through patent filings, and after they have read some, they are instantly ready to release software.

In the real world, programmers do not read patent filings because at best it is a complete waste of time, and at worst, triple damages for wilful infringement.

Why do we have a patent system at all?

Bored hackers flick Shellshock button to OFF as payloads shrink

Flocke Kroes Silver badge

Number of _unique_ payloads ...

There is some evidence of boredom: the number of unique payloads peaked on the 27ᵗʰ. Before that, people were creating and debugging new exploits. After that, the only new people trying to join the party were script kiddies.

One of the fun things about this flaw was it only required basic knowledge of bash scripting, CGI and Google fu to play with on your own network. You could get results in under a minute. Having enough knowledge to route the attack through the neighbour's open wifi and Tor (or not caring about being on the NSA's shit list) cut the numbers down to about 10,000 (assuming most of them got the code right by the second attempt).

Heart bleed would have required understanding cryptography, reading the source code, developing some complex software in a compiled language and using lots of network bandwidth. Like most security flaws, it wasn't something I could play with in my tea break. Now that everyone with a clue has patched, I might have to spend all day next door to the library's wifi to find a machine vulnerable to shellshock. Only people set up to profit from a botnet are going too bother.

If there is a next round, it will involve machines that are tricky to patch. That would point at embedded systems if most of them weren't too small for bash. Apparently some NAS boxes are vulnerable, but people dumb enough to put unencrypted SAMBA or NFS on the internet store their selfies in the cloud with easy to guess forgotten password recovery questions.

Want to see the back of fossil fuels? Calm down, hippies. CAPITALISM has an answer

Flocke Kroes Silver badge

Mass production does not help windmills

Mass production of windmills on a scale needed to meet UK government targets on renewable energy would drive up the cost of materials - if you could find a place to install them.

Years ago, you could install X mega Watts of wind capacity and expect to get 33% of X because the wind does not blow all the time. Later, that load factor dropped to 30% because all the good sites where you could get planning permission already had a windmill. These days a good site is 27%, and it is likely to be in the sea. One of the Orkney Islands was really happy about their site having a load factor of over 60% - until they found out how much a power cable to Scotland would cost them.

Windmills are not limited by a conspiracy of coal and oil merchants. They are limited by the number of good sites, and a bunch of NIMBYs blocking construction on most of the accessible sites. All the numbers you need to estimate the consequences of an energy policy are here. I am sure oil merchants would love to put the boot into renewable energy. In real life, they do not have to do a thing.

Flocke Kroes Silver badge

Some hydrogen people are not stupid or silly

There have been a bunch of hydrogen concept vehicles dating back to the nineties, and new ones keep appearing like a hydrogen powered bicycle and a hydrogen powered tractor. The technology has advanced to the point where hydrogen vehicles are practical and even competitive in a few niche markets:

36 fuel cell buses successfully completed a three year trial in 2007.

A hydrogen internal combustion engine fork lift truck has been in production since 2008.

Hydrogen does come with all the problems you mention, but they are solvable and the cost of those solutions is falling. The difficult thing to guess is whether it will be cheapest to store hydrogen, or to combine hydrogen with carbon from CO₂ to make a more convenient fuel.

Flocke Kroes Silver badge

Try it with some numbers

Lets start with solar power: about 1.4kWatt/m². Half the time there is a planet in the way, and it you do not live on the moon, there is an atmosphere with clouds. That trims the power available to 100Watt/m² in the UK. You can bump that up a bit if you angle your solar panels towards the sun. If you spin them once per day, you can have 200Watt/m². (Source: Sustainable energy without hot air.). I will use 100Watt/m², so you can multiply it by the area of your home without having to think about the angle of your roof.

A small car can go about 17km with a litre of petrol (For example: Nissan Micra). Wakipedia has figures for the energy density of fuels. Petrol is 32.4MJoules/litre, so I can go 523m with 1MJ of petrol. 1MJ of hydrogen should take me about the same distance. Each square metre of land gives me on average 100x60x60x24=8640000J per day of solar energy. Converting to hydrogen is 12.3% efficient, so I can go about ½ km per day for each square metre of roof.

If I covered 5 by 6 paces of roof with solar→hydrogen panels I would get enough hydrogen for my transport. Someone else in the house could sensibly run a car too, but a third driver requires covering the garden.

Remember: solar power costs the most lives per mega Watt of installed capacity because DIY installers fall of the roof. Hydrogen/Air mixtures are really good at going bang. Test you hydrogen leak detectors regularly.

Special iPhone trousers will ease Apple into the fashion world

Flocke Kroes Silver badge

If Darryl's fashion tip catches on ...

The news group posts might be genuine:

dict 'baggy pantsing'

Nicked iCloud snaps: Celebrities were 'dumb' – new EU digi boss

Flocke Kroes Silver badge

Stupid was a poor word choice

It causes a defensive reaction, which does not lead to people learning how to protect themselves.

A better word choice would be computer illiterate - especially if it is understood that the level of competence required to keep private data secret on an internet connected device is 'computing professional' at minimum. For high value data, that should be uprated to 'computer security specialist'.

Most people are not going to go to the trouble of getting that level of computer literacy. If they have to take nude selfies, then their only hope of keeping them secret is to use a camera with no radio, and not to view the photos on any device with an internet connection or enough storage to hold a copy. While we are at it, a reminder that cameras can only be assumed to be off when the lens cover is on. Getting people to listen to that message is difficult if you start by saying "You're so dumb."

Scrapping the Human Rights Act: What about privacy and freedom of expression?

Flocke Kroes Silver badge

Will the preaching hate law ...

... apply to politicians?

SMASH the Bash bug! Apple and Red Hat scramble for patch batches

Flocke Kroes Silver badge

Because the flaws were very different

The first flaw was that when bash imported a valid function from the environment, it interpreted anything after the function as a bash script.

The second flaw was if the function definition in an environment variable started out correct, but contained a certain type of invalid syntax in the middle, followed by the character '>' which redirects stdout to a file and a \ at the end to say that the rest of the command is 'on the next line of input', then bash would keep the '>' and put it at the start of the next line of text to be interpreted. Normally, the first word in a line of bash is a command, followed by its arguments. Redirecting stdout can be placed anywhere, and the '>' and file name are removed from the text so they do not show up as an argument for the command.

That second flaw is a radically different path through the code that handles an odd corner case. It is not surprising that people concentrating on fixing a different problem while keeping as much as possible of the interpreter the same (to avoid breaking any bash scripts) missed this.

Bash collected handy features because they were useful on the command line. Years ago, sh was often a link to bash so those features would be available to all the scripts in the operating system, and would be available when one command starts another with the 'system' C library function. All those handy features created a large attack surface, which was dealt with in multiple ways:

The 'system' library function became unfashionable. Programmers should use something like 'execve' instead, which does not invoke 'sh'. The link from sh to bash changed to point at a cut down shell like ash. Bash could continue to grow handy features, but ash remained small and easier to audit for security issues. Part of the reason bash had a major flaw for decades was that people were looking at ash and its derivatives instead. Security researchers did not expect bash to be used where security was required.

Oracle SHELLSHOCKER - data titan lists unpatchables

Flocke Kroes Silver badge

Perhaps someone familiar with Oracle products can tell me...

Are these 32 products with bash installed, or 32 products that I can remotely convince to run bash with my choice of data in an environment variable?

At a brief glance, at least some of these products allow a competent sysadmin to download the source code for bash, apply a patch, compile and install a fixed version - all without any help from Oracle. Is this true of all 32?

Flocke Kroes Silver badge

Do your research before you buy

Firstly - do you actually have an embedded device with bash installed? Bash is big, and if embedded devices have a shell at all it is usually one of the mini ones like lash which is not vulnerable to this flaw.

Secondly, pretend a flaw is found in lash tomorrow, and you have a device for which you cannot download the source code, apply a patch, cross compile and install new firmware. <shouting>Why did you buy it?</shouting>. There are plenty of hackable devices out there. If you want a router, pick one that is easy to install openwrt on. The reason locked down devices exist at all is because people buy them. Stop it at once, or you have to pay whatever the vendor demands for updates.

Stunned by Shellshock Bash bug? Patch all you can – or be punished

Flocke Kroes Silver badge

Checking the TV

I did a web search before purchase and picked one that was hackable. There is a magic sequence of buttons on the remote control that gives you the service/retail menu. One of the options enables shell access on a serial port on two unused pins on the VGA input. Just solder a VGA connector to a 3.3V serial to USB converter, plug it into your Pi and start miniterm. I picked an old TV, so most of the work had already been posted on the internet already. Take a look here to see what sort of things are available.

I strongly recommend searching for a hackable device before purchase - especially for long lifetime items like a TV. If you cannot recompile and install the firmware yourself then you are dependant on the vendor producing patches. Plenty of vendors think that ending support for a product is a good way to force users to buy a new toy. Just imagine how bad things would get if computers used secure boot so people could not install their own BIOS...

Flocke Kroes Silver badge

CVE-2014-7169

Was fixed on Debian and Rasbian before this article appeared.

Anyone vulnerable embedded system? My TV and router do not have bash installed.

Bash bug: Shellshocked yet? You will be ... when this goes WORM

Flocke Kroes Silver badge

It is nastier than that

Using the CGI attack vector, the web server will un-url-escape a string I supply and put it into an environment variable. The CGI script is expecting an unescaped string, so the standard does not provide a way to prevent my choice of string going into an environment variable.

Bash provides a mechanism to export bash functions to a bash sub-process. Bash assumes any environment starting with '() {' is a function. Defining a bash function is part of the bash language, and bash uses the bash interpreter to convert the environment variable into a function definition. The bad news is that the interpreter did not stop at the end of the function definition. Extra text in the environment variable after a function definition gets interpreted just like a bash script.

If a web server has a vulnerable version of bash, and a CGI script either written in bash or using a bash sub-process that receives the CGI environment then remote users can execute their own bash scripts with the authority of the web server.

The obvious places to prevent this are any of these:

*) make bash stop interpreting function definitions at the end of the function definition.

*) use something like fastcgi which passes parameters through file descriptors instead of environment variables.

*) Do not write write CGI scripts in bash AND ensure that the environment is sanitized before starting a bash sub-process.

Flocke Kroes Silver badge

Lots of sites have man-pages

The first google search I tried, three of the first four sites use a CGI bash script to return search results for man pages. Those sites either have already, or urgently need to replace bash.

Flocke Kroes Silver badge

Depends...

If there was some way to remotely pass environment variables through bash, then yes, you might already have been screwed. I would expect that there is a patched version available for OSX by now. Go find it.

Flocke Kroes Silver badge

Important, but easily fixed

You do not need to get you vendor to tell you if you are affected. Just type:

x='() { :; } ; echo shellshockable' bash -c 'echo test'

If you updated your software last night (this morning for Rasbian) you will get:

bash: error importing function definition for `x'

My router says:

/bin/sh: bash: not found

Embedded systems often use one of the trimmed down shells available with Busybox. Ash and lash are not vulnerable.

This is important, as CGI passes parameters to through the environment, CGI scripts can be written in bash and it is easy to install vast amounts of software on a Linux system, some of which might still use '90s tech because it did not break every time a vendor required their users to buy an upgrade. If you need to test some embedded system without any obvious access to the shell, try a google search for your device's name with the word 'telnet'. If you actually find one that uses bash, and the vendor does not have new firmware ready by tonight, look for a replacement that can run openwrt.

Heatmiser digital thermostat users: For pity's sake, DON'T SWITCH ON the WI-FI

Flocke Kroes Silver badge

The usual trick

PHB asks for proof of concept demo software to get some investment. Funds are needed urgently, so "You can save time by not bothering with security." When that version is delivered, the software 'works', so it must be 'complete', and there is no need to waste time or money on changes that only matter to engineers. PHB will ship it as is.

Biting the hand that feeds IT © 1998–2019