* Posts by Michael Wojcik

5171 posts • joined 21 Dec 2007

IBM swings shrink ray from workforce to mainframes

Michael Wojcik
Silver badge

Re: I'd like to have an honest non-marketing answer to the question...

I'd like to hear a good answer to why Linux on z rather than on another platform?

Sometimes simply because the organization already had a big investment in z and was testing the waters for migrating some of the application load to Linux. Often the applications in question were written in Java, so moving them was relatively easy.

When zLinux first came out, virtualization was also a big selling point. The z hypervisor (basically a stripped-down version of IBM's VM OS, the granddaddy of hypervisors) could accommodate a huge number of tenants - I recall Usenet posts describing tens of thousands of zLinux LPARs on a sysplex. There are use cases for that sort of thing, and doing it with, say, VMWare on x86 hardware around the turn of the century would have been a hassle, particularly to manage.

These days with containerization (and particularly the rapid growth in management and orchestration tooling) the virtualization features zLlinux are no doubt less of an advantage.

But I still see a fair number of organizations investing in zLinux, and they have some reason for doing so. We've even had customers put our mainframe-environment emulation systems on zLinux, running CICS, IMS, and batch workloads under zLinux rather than in conventional zOS LPARs.

0
0

Boffins pull off quantum leap in true random number generation

Michael Wojcik
Silver badge

Re: what about

if someone else has generated the randomness you are using for your Certificate Signing Request, you cannot guarantee the security of your website ever after

You cannot "guarantee the security" of any system, ever, under any conditions. That is not a meaningful claim.

There are plenty of physical processes that generate sufficient information entropy to seed cryptographic pseudorandom number generators (CPRNGs) sufficiently for most purposes. CPRNGs only need to raise the cost to the attacker higher than the attacker's evaluation of the value of breaking the CPRNG.

The vast majority of X.509 certificates will never be used to secure sufficient value to justify trying to break the CPRNG used to generate their precursor CSRs.

It's true that attacking CPRNGs has been successful in many prominent historical instances; the original Netscape SSL implementation and the Debian OpenSSL break are two well-known examples. But in the vast majority of cases there are cheaper vulnerabilities, and almost no one has a use case that requires a provably random entropy source.

1
0

Get ready for the Internet of Battle Things, warns US Army AI boffin

Michael Wojcik
Silver badge

"cyber robots"?

Presumably a "cyber robot" is one that includes a control system which incorporates feedback. Or, in other words, any robot. Because that is what "cyber" meant when Weiner coined "cybernetic".

The lazy, foolish abuse of "cyber" is well-established, of course, going back to Clynes' idiotic "cyborg" neologism in 1960. But that's no reason for the Reg editors to aggravate the situation. You all can be better than the common-or-garden variety of tech journalists.

1
0

They're back! 'Feds only' encryption backdoors prepped in US by Dems

Michael Wojcik
Silver badge

Re: I find it interesting

no hacker has published Trumps tax returns

What's the incentive to?

It's trivial to forge a tax return, and possible to create a pretty plausible one. So if you just want to publish a tax return you claim is Trump's, showing whatever it is you'd like to show, there's no reason to bother "hacking" anything.

So say someone publishes what they claim is Trump's return for one or more recent years. Then:

- Trump denies it. There's no advantage to him in admitting it's genuine, if it is; and if it isn't, even less to pretending otherwise.

- Supporters who feel the return justifies their support will claim it's genuine but for reasons of "privacy" or "security" Trump is denying it. Those who feel it puts their man in a poor light will claim it's a fake.

- Trump opponents would almost certainly seize on it as further evidence of Trump's mendacity, but they don't need any more evidence of that. They're already convinced, and they're not likely to convince many others at this point.

It's far more useful for opponents to keep demanding that Trump release the returns himself. He almost certainly won't, so they can continue to claim he's hiding something. It's more useful for supporters if no returns are released, because whatever they say and regardless of whether they're genuine they just fuel an argument that supporters prefer would die down.

2
0

2018's Lenovo ThinkPad X1 Carbon laptop is a lovely lappie

Michael Wojcik
Silver badge

Filtering out unwanted brushes of your palm is the hallmark of a good trackpad.

That may well be true, but I've never seen one that does an adequate job of it. Certainly the trackpad on my accursed Dell Precision laptop (new as of this year) does not. Nor does the one on my wife's Macbook Air.

0
0
Michael Wojcik
Silver badge

Re: Pictures please

Not so gigantic.

And, really, why would I care if it were? I'm not going to be sticking it in my pocket or anything. I'm not sure this is the feature of a laptop I care the absolute least about, but it's way down on the list.

Of course, I'm currently suffering the horrible Dell Precision 5520 that IT have bestowed on me, so I'm inclined to look favorably on any Thinkpad with a TrackPoint.

0
0

How life started on Earth: Sulfur dioxide builds up, volcanoes blow, job done – boffins

Michael Wojcik
Silver badge

Re: Ashes to ashes

Whom is "they?"

Since we're griping about usage, why do you think the objective case is appropriate here?

Now, had you written "to whom does 'they' refer?" you'd have had a reason for it. In your formulation, though, it's just false elevation.

2
0

Are meta, self-referential or recursive science-fiction films doomed?

Michael Wojcik
Silver badge

Re: Films - meh

Santaroga Barrier and Hellstrom's Hive were also crap, but Dragon In The Sea and Destination: Void wer very good.

Tastes differ, of course, but I found Destination: Void (and its sequel The Jesus Incident) no more than moderately interesting, while I quite liked the Cold War paranoia of The Santaroga Barrier.

0
0
Michael Wojcik
Silver badge

Re: Films - meh

Well, your 12 year old was the upper limit of the target audience, certainly for the first [hharry Potter] book.

That's a weak excuse. There's a great deal of good children's and young-adult fantasy which remains entertaining and interesting for older readers.

I don't begrudge Rowling any of her success. The books aren't pernicious, just lousy. Rowling gave people something they wanted, and she got lots of folks reading for pleasure who otherwise might not have.

But, man, those books are bad - at least the first, second, and fourth, which were the only ones I managed to read (and I read a lot of children's fantasy). Simplistic characters, uninspired prose, and plots that depend on the unimaginative use of magical devices which if employed properly or consistently would have overwhelming consequences. The whole Harry Potter world is inherently broken.

(Some months back I read Rainbow Rowell's Fangirl and was amused to note that the protagonist's fanfic, for a fictional HP-style series, was considerably better written than the actual Potter books.)

I hope at least some of the hordes of HP fans eventually go on to better children's / YA fantasy. Like, say, Turnbull's The Frightened Forest. Or McKillip's Riddle Master trilogy. Or Hopkinson's Brown Girl in the Ring. Le Guin's Earthsea books. Mieville's Un Lun Dun. Okorafor's Binti. Moriarti's Colors of Madeleine series. Bacigaluipi's Shipbreaker. Gaiman's Stardust, Neverwhere, The Ocean at the End of the Lane. (Those are published as adult novels but are perfectly accessible for children.) Valente's The Girl Who Circumnavigated Fairyland in a Ship of Her Own Making, which deserves to be read on the strength of its title alone. Pratchet's YA books, particularly the Tiffany Aching ones. There are so very many examples of terrific fantasy novels for children.

0
0

Microsoft Office 365 and Azure Active Directory go TITSUP*

Michael Wojcik
Silver badge

Re: @ Christian Berger RE: "Since most IT-departments are horribly bad at what they are doing"

It perfectly demonstrated the types of people who frequent this forum.

Usage pedants, right? Because Christian used "it's" where "its" was wanted. That's the only reason I ever downvote anyone.

0
0

T-Mobile Austria stores passwords as plain text, Outlook gets message crypto, and more

Michael Wojcik
Silver badge

Re: outlook.com is not offering "end-to-end" email encryption

The link you provide is to the desktop app, which supports S/MIME

And has at least since 2003. Unfortunately, few people use it, probably because:

- X.509 PKI has always been, and remains, a mighty clusterfuck for non-experts to administer and use. Actually, it's a mighty clusterfuck for experts too; we're just aware of it.

- Users would have to obtain certificates from public CAs if they wanted recipients outside their organization to be able to verify their signatures, and that costs money.

- At least in the past, signatures weren't timestamped, so you had the usability problem that old messages would eventually start showing signature errors when the signing certificate expired. It's not much of a concern if you checked the signature before the certificate expired,1 but it's annoying and confusing for users. I don't know if that's been fixed.

- The usual critical-mass problem: It's never become sufficiently popular to drive further adoption simply by its own popularity.

- Many security professionals, who might otherwise have helped drive S/MIME adoption, stick with PGP2 instead.

- Outlook's S/MIME implementation has been problematic.

Personally, I trust Outlook's S/MIME more than whatever Microsoft is now touting as "Outlook end-to-end encryption" (even if that S/MIME implementation was largely useless as recently as last year). But in practice when I need encrypted email I use PGP, as only a few people I correspond with are set up for S/MIME.

1Except for the revocation problem. The issue there is that CAs remove expired certificates from CRLs and OCSP responses, because otherwise their lists of revoked certificates would grow unbounded. But that means that once a certificate has expired, you can't tell whether it was ever revoked (unless you saved that information yourself). Of course timestamps don't solve this problem, and arguably aggravate it. But revocation is its own special circle of PKI Hell.

2Well, with some OpenPGP implementation, usually gpg.

0
0

Super Cali goes ballistic, Starbucks is on notice: Expensive milky coffee is something quite cancerous

Michael Wojcik
Silver badge

Re: Another "Super Cali" headline?

"Texas looks interesting."

You better be quick, apparently Texas is sinking!

Sure. And like most of the Southwest it's dangerously short on water, too. But that doesn't make it less interesting. Less appealing, perhaps, but not less interesting.

Bacigalupi's The Water Knife is an entertaining look at just how interesting the Southwest as a whole might get. (Those who prefer nonfiction might want to try Cadillac Desert, Reisner's classic history of the region's water troubles, which Bacigalupi references heavily.)

0
0
Michael Wojcik
Silver badge

Re: They should put...

Has anyone got a link showing the turnout and voting numbers?

Prop 65 is unlikely to have significantly affected turnout. I was on the November 1986 ballot, which also featured a race for the state governor.

I haven't found statistics specifically for Prop 65, but some 7.4M people voted for governor. That's a bit low by California standards but not tremendously so.

I'd guess that the vast majority of those people did not abstain from the Prop 65 question, since it was right there on the ballot and once you've gone to the trouble of voting in the first place, why not check something? Educated voters are likely to have an opinion; uneducated ones aren't likely to care whether their vote is productive.

Wikipedia further claims that it passed with a 63% yes vote, though it doesn't provide a source for that statistic.

So if, say, only 10% of people who voted in the gubernatorial race abstained from the Prop 65 question, that's around 4M who voted in favor.

0
0
Michael Wojcik
Silver badge

Re: They should put...

Are there any sane politicians in California for a start? If there are then why don't sane people vote for them or are everyone suffering from an advanced case of the stupids?

However interesting that question might be, it's irrelevant in this case. Proposition 65, like all "propositions" in California law, was a ballot initiative passed by direct vote of the electorate.It wasn't passed by politicians. (Of course some politicians may have voted for it as citizens, but it was not the work of the legislature.)

As is generally the case with "direct democracy" in the US, Prop 65 is largely useless. It's difficult to find a product that does not have a Prop 65 "known to the state of California" warning on it, so they're widely ignored.

In states where they have an effect, ballot initiatives are generally employed by well-funded groups to mobilize the tyranny of the masses to pass some idiotic, counter-productive law. In other states, such as Michigan, they're just a waste of time and effort. (Michigan's constitution prevents ballot initiatives from overriding any law with a spending component, so when an initiative is passed that the legislature doesn't favor, it just writes an overriding bill and tacks some spending measure onto it.)

0
0

Donald Trump jumps on anti-tech bandwagon, gets everything wrong

Michael Wojcik
Silver badge

Re: "supports Trump's arguments that the media is biased against him"

You have to go down many levels in the line of Presidential succession to get to one who is at least partially sane

Well, Orrin Hatch is President pro tempore, so he's up after Ryan. I'd say he's "partially sane". He'd be a disaster as POTUS, though: he favors the police state (he's a terrorism fearmonger) and badly wants a balanced Federal budget (which is a defensible position, but we certainly can't switch to one at the drop of a hat without massive economic turmoil). On other matters he's rather a mixed bag - anti-gay-marriage but pro-civil-union, pro-religion but applies that to all religions, and so on. Something to annoy everyone, I guess.

Dig down a few more and you come to Jim Mattis, who is a bit of a cipher, since he's ex-military and has not been a political figure for long. On foreign policy, though, he does seem to be a pragmatist interested in improving geopolitical stability. Beyond that, who knows?

But, yeah, not a lot of appealing options in the current line of succession.

4
0
Michael Wojcik
Silver badge

Re: @Pascal Monett -- "Can you still be President if you're in the pen?"

Impeachment is the first step. The second one is "remove from office".

Really the second step is the trial (by the Senate, and if the defendant is the POTUS, presided over by the Chief Justice of SCOTUS). If a two-thirds majority of the Senate vote to convict on one or more of the charges listed in the Articles of Impeachment (which come from the House of Representatives), then the defendant is removed from office.

So removal is really a consequence of the trial. You could call it part of the "second step" (since the Constitution doesn't specify the process in terms of "steps"), but mainly that second step is the trial itself.

Note that all the Senate can do is remove the convicted defendant from office and optionally bar him or her from holding Federal office in the future. To actually put Trump or any other former President in prison, there would have to be a regular criminal trial after impeachment, conviction, and removal.

In Trump's case, it's all but certain that Pence would pardon him. Ford pardoned Nixon, and that was political suicide; but an impeached Trump would see a large swathe of his followers digging in their heels and proclaiming his innocence. They would be instant Pence supporters. So we're not likely to see Trump in prison, if he gets impeached.

What if Trump got impeached, convicted, and removed from office, but prosecutors waited for a friendlier President before bringing charges? Pence could still pardon Trump. Ford preemptively pardoned Nixon when no charges had been brought, for every Federal offense he "may have committed".

There's been much discussion of whether Trump could pardon himself. Some legal scholars say no; others say it's unclear. Presumably if he tried it SCOTUS would have to decide.

So, the only way to get Trump in prison, at least on a Federal conviction, would be for someone not sympathetic to him to become the next President (otherwise he'll get preemptively pardoned), and either for him to not try pardoning himself (and what does he have to lose?), or for SCOTUS to rule that he can't.

The same, of course, would apply to some hypothetical other President who might run afoul of the law. I can't see that ever happening, though. Usually they're swell folks who hold themselves to the highest ethical standards.

3
1

Please no Basic Instinct flashing, HPE legal eagles warn staffers

Michael Wojcik
Silver badge

Re: Its one way to liven up the holiday snaps of Mijorca

Limit the slides to 10 per presentation, so your colleagues don't go stir crazy

Ugh. Ten slides in a 40- or 60-minute presentation? If I'm in the audience, I'd much prefer a lot of slides that go by quickly, so I'm not staring at some three-bullet list of inane points for ten minutes.

Even better, avoid bullets and lists as much as possible. For my corporate presentations I have to play by fairly traditional rules, but in my academic ones I often have no bullet points at all. I've seen some really great no-list / no-bullet presentations from academics.

(Academic presentations tend to run the gamut. At one conference I saw a beautiful non-traditional one, and at the next talk one incompetent had nothing but five slides of URLs in purple on a black background.)

3
0
Michael Wojcik
Silver badge

Re: I Think I'm Going To Throw Up

Never had butterflies, anxiety or owt like that.

Before I gave my first professional presentation, I was sure I'd be struck with stagefright, as I've never been the gregarious sort. But as it turned out I felt quite comfortable (if anything too eager), and I've always enjoyed presenting since. I ascribe it to my deep and abiding egotism.

2
0

Cambridge Analytica 'privatised colonising operation', not a 'legitimate business', says whistleblower

Michael Wojcik
Silver badge

Re: "physops" -> "psyops"

You be sure leave all the physops to us physicists

Except for those who are severely ontologically challenged, I don't think that's physically possible. Personally, I can't get through the day without quite a few physops.

Hell, without Fermionic exclusion, I'd be crushed, simply crushed. I couldn't take it.

1
0
Michael Wojcik
Silver badge

Re: Really?

Psychology is a field only a little better than homeopathy. It doesn’t work as well as these guys want you to think.

The Dunning-Kruger is strong with this one.

AC might also want to read Holiday. While it's difficult to influence a given individual in a specific way,1 sentiment manipulation in populations is well understood and a large and highly effective business.

1Except by employing intrusive technology, such as psychoactive pharmaceuticals or other brain-manipulating mechanisms in concert with appropriate stimuli. That sort of thing seems to work just fine. Descartes' Evil Genius is here; he just doesn't scale.

1
1

Intel shrugs off ‘new’ side-channel attacks on branch prediction units and SGX

Michael Wojcik
Silver badge

Neither specific to Intel, nor "flaws"

with a little lateral thinking, Intel’s products can be challenged in many ways

As can all superscalar processors. All of them. While details like SGX are Intel-specific, Spectre-class side channel attacks will apply to any machine that 1) runs a mix of code from different trust domains and 2) does not blind every single operation.

And, once again, these are not "design flaws". They are deliberate design decisions, trade-offs made to select performance over security. They''re what the market demanded. Had Intel prioritized security over performance, they'd have been out of business decades ago. Hell, they couldn't even sell the 432, at the same time that IBM was successfully selling a capability-based architecture in the System/38.1

Now suddenly the market is full of remorse, having discovered that systems and exploits have advanced to the point where side-channel attacks are practical against their beloved fast general-purpose systems running a toxic mix of sensitive and untrustworthy code. Well, them's the breaks, kids. Blaming Intel for delivering what people would buy is unfair.

Now, blaming Intel for Meltdown is another story (though again they aren't the only offenders). Letting spec-ex cross security boundaries was a dangerous shortcut, and the engineers should have recognized that and pushed back even though it would have throttled performance a bit. And we can criticize Intel's initial handling of the Meltdown/Spectre disclosures. But having Spectre-class vulnerabilities is something we - people who buy computers - brought on ourselves.

(Cue another set of downvotes from the readers who want an easy scapegoat.)

1And only a couple of years after the 432 was discontinued, IBM replaced the S/38 with the AS/400, which while not a true capability architecture had similar hardware-protected addressing. The '400 was, and continues to be, a cash cow, showing that there's a market for capability and protected-addressing systems.

1
0

Meet the open sorcerers who have vowed to make Facebook history

Michael Wojcik
Silver badge

Re: The hardware underneath

Theoretically you could build some sort of massively redundant distributed system, though it would probably be easier to

use Usenet.

Hey, look, it's NNTP. An open protocol for a redundant distributed social-media system.

I know. It'll never catch on again.

0
0
Michael Wojcik
Silver badge

Re: The hardware underneath

The big thing Facebook, Google etc bring to the table is a huge network of maintained servers

That's only part of it. Orlowski's "trivially simple" comment is, in fact, quite wrong. More is different.

When you scale up a system to the kind of transaction rates that Facebook handles, you need quite a lot of non-trivial software. It's not just a question of throwing hardware at it. Even a very low failure rate1 turns into quite a lot of failures when multiplied by that load.

Take a look at Realtime Data Processing at Facebook, say, or the SVE paper, or TAO.

The big social-media players do quite a lot of software R&D. It is not trivial, nor simple.

And yes, Dovecot may handle, in aggregate, the email of a couple of billion people. Email workloads are orders of magnitude smaller than social-media workloads.

I'm perfectly happy to see people extending IMAP (though I've never been a fan of IMAP, particularly) or other open protocols. I've spent much of my professional career working with both open and proprietary data-comm protocols, and even the gnarliest open ones (IIOP, say, or if you want an IETF-blessed example, Telnet) are generally much nicer than the proprietary alternatives (ah, SNA, so many years you have claimed). But minimizing the technical challenges helps no one.

1And the high tolerance for failure in social-media applications, which really don't care about consistency and reliability.

0
0
Michael Wojcik
Silver badge

Re: Any kind of central "real world identity" system is RIPE for abuse. Period.

You don't need anything apart from the Android app to start using it.

Presumably you need at least one interlocutor.

And therein, I think, lies the rub. I haven't produced any content on Facebook since shortly after I first signed up several years ago: not a post, not a status update, not a "like". I do, however, read it for at least a few minutes most days, because my extended family and friends post heavily, and I respect them enough to try to pay a bit of attention.

None of them are using Delta Chat. None of them are likely to ever start using some new decentralized IMAP-based social media system. True, several use Twitter or Instagram or god knows what else; I ignore all of that because the Facebook skim is all I'm willing to invest in this, respect or no. But they started using those other non-Facebook social media services because there was pressure to, and that pressure was largely generated by marketing campaigns.1

I've yet to see an open protocol with a real marketing campaign.

To the vast majority of ordinary users, a new social media service is just what they see in the client app. And if that doesn't do something that they see as novel and valuable, they won't adopt it.

1Typically "stealth" campaigns of the sort described by Holiday.

0
0
Michael Wojcik
Silver badge

Re: Why IMAP and not XNMP?

I had no idea they had kept up with the cool kids.

While DER, and even more so BER, are abominations and largely responsible for the myriad problems of ASN.1 implementations, ASN.1 itself is still overengineered and excessive. It's the very antithesis of "cool", regardless of encoding.

OIDs in ASN.1 structures are useful, inasmuch as they add a typing mechanism, but even they are poorly designed. Hierarchical namespace: great. Represented with integers assigned by a numbering authority rather than human-readable text: dumb.

Aside from OIDs I'm having a hard time thinking of anything valuable ASN.1 brought to the table. It's not like it invented the idea of describing structured types using a CFG. We've had Backus-Naur Form since 1960, and as Wikipedia points out, the general idea is around 2500 years old.

0
0

How a QR code can fool iOS 11's Camera app into opening evil.com rather than nice.co.uk

Michael Wojcik
Silver badge

Re: Can backspaces (^h) be embedded into such codes?

I'd like to say no. I don't see a reason to recognise backspace in parsing a URL.

But I won't fall off my chair if in fact some system is vulnerable to this.

Such a system would not be conforming to the URL specification, if that's any consolation. The code points that can appear unencoded in a URI are specifically listed.

Backslash isn't allowed in IRIs either, but there we have the much more problematic issue of homographs - Unicode code points that (in most fonts) are indistinguishable from one another. Most of the popular browsers try to alert the user to homographic substitution by displaying IRIs in punycode encoding, though Firefox and its derivatives notably do not, by default.1

And even then we have to trust that a user looks at the address bar, sees the punycode, recognizes that something is up, and does not attempt to use the site further. That's far from certain.

1Mozilla's official position on this is that it penalizes users whose native language includes non-ASCII characters, and who would therefore like to use IRIs and see them rendered in a readable fashion. That's a reasonable argument, but it leaves all their users vulnerable to homograph attacks.

0
0
Michael Wojcik
Silver badge

Re: goto fail;

I believe a legitimate URI format is:

protocol://user:password@host:port/url-path

The "user:password" part is called "userinfo", and is part of the authority portion. See RFC 3986, section 3.2.1.

(The "protocol" is actually called "scheme".)

We've known for at least 14 years that userinfo is a problem for poorly-written URL parsers and for users. RFC 3986 actually deprecated the "username:password" form of userinfo - technically userinfo consists of "a user name and, optionally, scheme-specific information about how to gain authorization to access the resource" - and warns that userinfo should be presented to the user in such a way as to make it more difficult to use it to obscure the actual resource authority. That was in January 2005.

Thirteen years later, Apple still isn't complying with that recommendation. That's what happens when you let app developers write their own versions of common system components. It's the sort of thing that should be caught in security design review.

0
0
Michael Wojcik
Silver badge

Re: goto fail;

The problem is that the escape character (\) isn't recognised as such

Backslash has no special meaning in the authority portion of a URL. (Or in any other portion, for that matter.) It should not be interpreted as an escape character.

This is a stupid bug on Apple's part, period. We've known about issues with the userinfo portion of URLs for more than a decade - the earliest CVE I found for one was 2004 (CVE-2004-2597; a good later example is CVE-2008-0409). There's no excuse for not having a single implementation in the OS that parses URLs correctly.

0
0
Michael Wojcik
Silver badge

Re: Well QR-codes would have some potential...

if the apps would display the full URL

Even then, they need to make the actual server FQDN clear to the user, and guard against homograph attacks. Simply displaying the URL is insufficient to provide any meaningful security.

0
0

Java-aaaargh! Google faces $9bn copyright bill after Oracle scores 'fair use' court appeal win

Michael Wojcik
Silver badge

Re: Bad for software patents.

Patents are not copyrights. Copyrights are not patents. Different rules apply.

3
0
Michael Wojcik
Silver badge

Re: Call me Bob and the desert my home

It is almost as if learning a little about software is not a requirement for making multi-billion dollar judgements about it.

Well, it isn't. The circuit court exists to interpret the law. It would be nice if it took into account the damaging effects of its decisions, but some courts (and CAFC is one) tend to prefer the "kill them all, let the legislature sort them out" approach.

2
0
Michael Wojcik
Silver badge

Re: Killed it.

I see nothing in this judgement that changes the situation for programmers using Java on top of Oracle's JVM

I don't see anything here that affects any other JVM either. It might affect other Java SDKs, but OpenJDK's license seems pretty secure to me (IANAL) and IBM and other powerful players have big investments in it. Taking on Google was already a large risk; I don't think Oracle want to tangle with IBM on top of that.

And many organizations have huge legacy Java code bases. This decision won't even give them pause.

0
0
Michael Wojcik
Silver badge

Re: Can Ritchie sue Oracle then?

All creative work is derivative

Possibly. This is an open problem in aesthetics. A perfectly random "work" is not in itself derivative,1 but may not be creative - that's a matter of definition. Similarly for a purely found work may not be derivative in itself,2 even if it is interpretable; consider Knapp and Michaels's "wave poem" thought experiment.

On the other hand, if you adhere to any of the schools that locate meaning-production primarily in the audience, then the aesthetic weight is in reception, and arguably so is at least a significant part of creativity. In this case all creativity would by definition be derivative, since interpretation can't happen without a ground.

1Except in the degenerate and meta-artistic sense of being generated, labeled as a work, etc.

2For found works, it's often argued that the creative act is entirely in the process of selection and publication, which is a stronger version of the qualification described in note 1, and clearly derivative both because found works have been published before and because publication follows established protocols. Thus the "in itself" qualification is particularly important in this case, and if it's disallowed we can discount found works as possible exceptions to the rule.

1
0
Michael Wojcik
Silver badge

Re: So...

Patent != Copyright. They're very different under US law.

2
0
Michael Wojcik
Silver badge

Re: "My gut feeling says the FSF is waiting for the prime time to sue ..."

Unless, of course, whoever owns Novell nowadays wants to do it.

Micro Focus owns Novell. I think it very unlikely we'd start an API-copyright war. Legitimate software licensing is one thing; pursuing quixotic IP claims that fly in the face of decades of software tradition is quite another.

Plus a big part of our business is emulating mainframe environments such as CICS, JES, and IMS. Including APIs.

Like most here, I'm hoping SCOTUS hears a Google appeal and overrides CAFC. I can see CAFC's point in this ruling, but it's disastrous.

2
0
Michael Wojcik
Silver badge

Re: Subsystem for Linux

They're trying to implement the Win32 API, using the reference manuals as the specification.

The text of the reference manuals is copyrighted, so if they use the same text verbatim for function names and signatures, they are - under the CAFC ruling - in potential violation of copyright. Having access to the source code is irrelevant.

1
0

NASA fungus problem puts theory of 'Martian mushrooms' on toast

Michael Wojcik
Silver badge

Re: Um, nope

Extra-terrestrial fungi from meteorites hidden in NASA labs for 20 years

My guess is that the fungi came from the Mushroom Planet.

2
0
Michael Wojcik
Silver badge

Re: Houston, we have a problem!

eventually we found a fungus growing, albeit extremely slowly, in the undiluted "toxin"

Yeah, there are some remarkably extremotolerant fungi.

3
0
Michael Wojcik
Silver badge

Re: Sounds like

when it involves being on your hands+knees and lots of bending over? that's not very fun...

Extensive evidence available online* suggests otherwise.

*Except in Theresa "For Your Own Good" May's UK, of course.

2
0

Guccifer 2.0 outed, Kaspersky slammed, Oz radio hacker in the slammer, and more

Michael Wojcik
Silver badge

Re: HERE in the US

You are not, I take it, familiar with the concept of the byline.

Or the concept of the semicolon, apparently.

0
0
Michael Wojcik
Silver badge

Re: Guccifer the Russian intelligence officer :] ... and Brains Before Brawn ...

Ugly and Inept SOAPs

I can accept that the Simple Object Access Protocol is ugly and inept, but I don't think we can blame the Russians for it.

0
0
Michael Wojcik
Silver badge

Re: Moscow Elite

Huh. I do all my hacking from your home broadband too. What a coincidence.

0
0
Michael Wojcik
Silver badge

The list, at this point, probably is woefully incomplete.

Given the geopolitical and material power and importance of the US - which, while not as great as many here in the USA seem to think, is still considerable - I'd be surprised if an outside entity with the capability didn't try to influence a US election. The likes of Henry L. Stimson, showing some restraint in covert action against your ostensible allies, have always been rare.

And, after all, if you have the interests of your own nation foremost, it's not a huge leap into realpolitik to engage in such "meddling".

I might not like it (though to be honest I can't seem to summon up much outrage, however much I might believe Trump is a lazy, willfully ignorant, megalomaniacal bully with little self control), but I understand it. Similarly, while I really don't like the DNC (or the RNC, or any of that sort), like Tom I am not at all surprised by the revelations. It is impossible that a major political party under the US system would not have such an organization.

0
0

World celebrates, cyber-snoops cry as TLS 1.3 internet crypto approved

Michael Wojcik
Silver badge

0-RTT

That will make connections much faster but the concern of course is that someone malicious could get hold of the "0-RTT Resumption" information and pose as one of the parties.

That's not the issue with 0-RTT. The problem with 0-RTT is that it has no replay protection.

TLS servers that allow 0-RTT Resumption are instructed to ensure the request is idempotent so that there's no vulnerability if an attacker replays it. That pushes a critical security responsibility up to the application layer, which a number of people (myself included) believe is a Bad Idea.

0-RTT is one of the optimizations that big HTTPS sites (Google, CDNs) pushed for, because it makes a measurable difference to their costs. Everyone else should avoid it like the plague.

1
0
Michael Wojcik
Silver badge

Re: Nice!

As for not being able to inspect data that is within encrypted traffic.. well isn't the whole point of encrypted traffic to stop just that?!

No, it is not. If you don't want to "inspect data that is within encrypted traffic", just emit random data instead. For encryption to be useful, it has to be decrypted under authorized conditions.

Many organizations have good reason to inspect traffic, typically for exfiltration detection, fraud detection, or malware detection. And if it's running over their network, they typically have a legal and ethical right to do so.

Security involves not only preventing misuse of a system, but also enabling proper use - and proper use is defined by the owner of the system. (Another version of this maxim is the "CIA" model: Confidentiality, Integrity, and Availability. Confidentiality and Integrity, which are what cryptographic systems generally aim for, are of limited use without Availability.) If the owner says "data should be concealed from everyone except three parties: sender, recipient, and monitoring system", then that's the proper use.

1
0
Michael Wojcik
Silver badge

Re: Round we go again

They're doing it wrong. The IETF should immediately switch mental gears and try to replicate the approaches that the miscreants will employ, to try to stay ahead or keep up.

Why do crypto stories bring out the sophomoric posturing?

The IETF does not, as a body, perform cryptographic research. That's done by independent researchers, alone or (more typically) in teams. The IETF is a standards body.

Security researchers have been looking at all aspects of TLSv1.3 since they were published or presented. It's not like 1.3 was a big secret until it was finally approved. All of the algorithms, primitives, and protocols have been under constant scrutiny. And they will continue to be.

Many of the vulnerabilities in previous versions of SSL and TLS were published by white-hat researchers before any exploits were seen in the wild. That doesn't prove they hadn't been used surreptitiously, of course; but they weren't widespread. It's an arms race, and both sides have been racing all along.

And by the same token, people are always discussing what might be in the next version of TLS. 1.3 does fix (for various values of "fix", and in some cases controversially) a number of issues with older versions of the protocol, though, and importantly adding new suites doesn't require a protocol rev.

1
0

Reflection of a QR code on PoS scanner used to own mobile payments

Michael Wojcik
Silver badge

Re: How to retrofit bonk-pay to your existing Smartphone

That can lead to scratching the phone.

Scratching the back of the phone? Oh no!

Also, what kind of phone do you have which can be scratched by a plastic credit card? Is the case made of unfired clay? (Try the new Samsung Adobe!) Chocolate? (When the Godiva Phone stops working a year after you bought it, you can eat the delicious case!)

Personally, I don't use NFC payment anyway. But if I did, I certainly wouldn't be worried about scratching the back of my phone.

2
0

Cambridge Analytica CEO suspended – and that's not even the worst news for them today

Michael Wojcik
Silver badge

Re: That Hideous Strength

Anything with [Steve] Bannon involved might be suspected by unkind people of having similar leanings.

You give Bannon too much credit. He's a lower-tier lackey and public face for the people who prefer to operate out of direct sight, like the Mercers. Before he took over Breitbart NN (which only happened because of Andrew Breitbart's unexpected death in 2012), Bannon was just a marginally-successful investment banker and Hollywood producer. He was best known for his claims to have helped negotiate the syndication deal for Seinfeld, but no one actually involved in that deal seems to recall his participation.

Now, anything the Mercers are involved in - watch out.

1
0
Michael Wojcik
Silver badge

Re: Shame.

There is a popular extension that mentioning Hitler causes instant loss of a debate, which is sometimes abused.

Cliff Stoll may have been the first to add that corollary. Mike Godwin endorsed it in his 1995 Net Culture post.

Part of Godwin's original point - as he described it in the Godwin's Law post he cross-posted to a number of popular Usenet newsgroups in 1991 - was to point out how readily Usenet posters would trot out the Hitler comparison. He felt that trivialized the associated historical events, and was rhetorically ineffective, because it had become a cliché.

Stoll's point, I assume, is that once Godwin's Law is satisfied, there's a good chance that the debate has degenerated to hyperbole, insult, and trivial generalization, at least on one side; and so nothing more productive would happen in it.

It's an observation, not a parliamentary rule. Note also Quirk's Exception.

1
0

Magic Leap bounds into SF's Games Developer Conference and... disappears

Michael Wojcik
Silver badge

Re: But...but...

Allegedly, car manufacturers pay to have their cars in films.

I don't think DMC did. They'd been bankrupt for three years when BackFuture came out in '85.

0
0

Forums

Biting the hand that feeds IT © 1998–2018