Posts by Michael Wojcik

Re: Common

I work from home every day of the week, and I don't need a "portable" home directory, or work material on my personal machine.

I have two employer-owned laptops. They go where I go. That's been the arrangement for over 25 years, and it's always worked just fine.

Even if I split my time between home and office, there'd be no need for a portable home directory, because for anything I need shared there are corporate change-management systems. (For historical reasons, some of my stuff is in Subversion and some is in GHE, but the specific flavor doesn't matter.)

Windows has had portable home directories for decades. I've never had any use for that, either. We had them on UNIX workstations with NFS and other network filesystems since the '80s; I never felt the need to set them up in the years I had a collection of UNIX workstations to myself.

Systemd is pushing an old idea that is of little or no use to most people.

Re: "a pain when using the pieces to create something new"

Nothing stops you from using the custom pieces in other ways.

My older granddaughter is also 7, and she's been playing with Lego since she was 2. She has a bunch of sets from various collections (mostly DC Superheroes, Harry Potter, and Frozen), and we do all sorts of things with them after the official build. All sorts of stories have been played out with odd characters and chimerical monsters in bizarre vehicles and Frankenhouses.

And all the sets I've seen have plenty of generic parts, too.

Re: a recurring theme ... was that the three laws didn't really work all that well

The stories focus on the rare instances when things go wrong, and are seen as abnormalities against millions of robots not causing any fuss.

Irrelevant to the force of Asimov's robot stories. The point isn't to explore whether the Three Rules produce an acceptable defect rate or are probabilistically "good". It's to consider a series of logic puzzles in which a system of three simple axioms is shown to produce surprising results.

In that sense the Three Laws work "poorly", for their ostensible purpose (though well for their pedagogical one), because they appear to offer simple, absolute guarantees, but it's possible to find numerous exceptions. The principle of least surprise is violated.

It's certainly possible to claim that in the world of the robot stories the Three Laws work "well" in a practical sense. That's much like Chaitin's argument that Hilbert's Entscheidungsproblem was a resounding success, because Church's and Turing's proofs that it can't be solved introduced formalisms that were invaluable in spurring the development of digital computing; a mathematical "failure" (not really a failure, of course, and Chaitin doesn't characterize it as such) contributed to a major technological advance. You could say the same of the Three Laws (in their world): mapping their logical "failures" helps cement their application in technology.

But reading that as a principal theme of the stories rather goes against the interpretations most readily inferred from the text, I think. The stories are about how the Laws fail.

Re: It's hard to believe that...

Have to agree with bob here regarding the PS/2, or more specifically the MCA. Trying to use it to kill the clone market was a bad move. IBM eventually clawed back some of the PC market with Thinkpads and its PCI-bus server offerings but never came close to recovering its former position, and MCA turned out to be just an expensive adventure.

However, even in the PS/2 era IBM had a lot going for it, with three strong non-PC system families (RS/6000, AS/400, and ES/9000) and a research organization that was still among the best in the world. The rise of Linux, and to some extent Windows Server, gutted all the private UNIXes, but POWER (these days the p line) survived better than most. AS/400-then-i has been a cash cow for decades; it was just the right incremental evolution of S/38 to keep that market, and the move in CPU architectures was handled smoothly.

And while It's impossible to completely stem the tide of 370-family (ES/9000 through today's z) defectors to Windows and Linux (something I have personally contributed to, so this is of interest to me), IBM has worked hard at updating mainframe hardware and software with improved performance and new features to keep many of those customers coming back. They're very good at finding out what will convince people to renew those leases, whether it's building REST web service support into CICS or adding "pervasive encryption" to zOS.

I agree with the poster above that what's really hurt IBM is the short-term thinking of the past couple of decades, with massive "returns of value" to shareholders backed by ruthless cost-cutting and deskilling.

Re: “A country torn apart by nationalism, corruption and warring factions”

Boris does seem to be something of a "doing it for the lulz" PM. I wouldn't be surprised to see him wandering off when clouds begin to gather on the horizon.

Apparently the best-selling EV worldwide for 2018.

EVs don't meet my needs, but if for some reason I was forced into a daily commute by car again, I'd consider the Leaf.

I don't care for any of the Teslas - there's really nothing about them that appeals to me, and I really dislike the technophilic attitude that dominates the designs. (I loathe touchscreens in cars, for example, and while they're becoming impossible to avoid in new models, Tesla seems to consider them an object of worship. And I detest driver-"assistance" systems like Autopilot.)

Re: I'm confused...

No, it really isn't like saying that. Try reading for comprehension.

Re: When will we get rid of this malady?

The OpenSMTPD project claims it's "part of the OpenBSD project", but OpenBSD itself lists it as an "associated project". It appears to be primarily the work of two developers, neither of whom is Theo de Raadt. I do think it's unfortunate that OpenBSD adopted OpenSMTPD without challenging it on this very poor architectural decision, though.

The first of OpenSMTPD's stated goals is "Be as secure as possible". Exec'ing the shell with tainted input on the command line is not compatible with that goal, regardless of how much whitelisting and escaping you try to do.

I also find it disturbing that this bug was reportedly introduced in 2018. There was an OpenSMTPD update in 2015 that fixed various security holes (and looking at the diffs is not encouraging, frankly). Then sometime over that five-year gap, someone decided to make a change that created a severe vulnerability. Where was the code review for that? What improvement was that change meant to deliver? Public-facing network services are the most prominent facets of the attack surface, and should receive the most scrutiny, but this 2018 change doesn't seem to have registered on the OpenSMTPD project website.

Also, I'm curious to know what's supposed to justify OpenSMTPD as an alternative to, say, qmail, or a new project based on qmail. Was writing a new MTA in C really the best idea?

And, seriously, any decent static-code analyzer with data-flow analysis should have been able to catch this. A dynamic-analysis tool that explores untested code paths - even something like AFL - should have been able to catch the offending case too. Seems like the OpenSMTPD team isn't making use of tooling to help catch vulnerabilities. That, too, is a failure to live up to their own goals.

All that said, using this (really quite appalling) error as an excuse for a blanket condemnation of OpenBSD is simplistic to the point of uselessness. OpenBSD has addressed many other vulnerabilities, and no non-trivial system is perfectly secure. We may hope that this incident leads the OpenBSD team to turn a more critical eye on their associated projects.

Thanks. Sounds like it's worth a try.

Re: There's just one problem with this scenario...

nor can any POTUS simply declare a national emergency

No need. We're in a state of emergency already. We're in 30 of them. We've been in a state of emergency since 1979.

Frankly, your whole post smacks of "it can't happen here". While I'd certainly like to believe that's true - and I for one have viewed all the predictions of doom since 2016 with a jaundiced eye, even while acknowledging Trump's many vile deeds - I also remember how every failed state has had no shortage of people explaining why their country could never devolve into autocracy.

My suspicion is that Trump's handlers have enough control over him to keep him from doing anything that might upset the Wall Street applecart. The Mercers, for example, presumably enjoy the bull market and want at least the pretense of constitutional government to continue. And Trump's quite comfortable right now with the Senate and SCOTUS on his side. But I'm not ruling out an attempt to assert excessive power, if only because I don't think he's rational.

Re: AI could easily spot things we miss

Too limited: there are ML approaches which result in explicable (amenable to analysis after creation) and interpretable (composed from understood parts) models. See for example this Cynthia Rudin paper.

Models with hidden state - from HMMs to traditional ANNs to DL stacks - obviously are black boxes, at least initially, though research into explaining them is a popular field. (I'm not terribly optimistic about its prospects for the more-complicated DL architectures, but we'll see.) But in the rather wide range of things being lumped into "AI" these days, certainly not all approaches are black boxes.

For that matter, the popular media are likely to label even things like kNN clustering and decision trees and SVMs as "AI", and they're not black boxes at all.

Re: What part of ....

To be honest, I've never had much luck getting SharePoint to share anything in a reasonable, sane manner.

I've not had much luck finding the point in it, either.

(Just look at the links it generates. It's like Microsoft looked at the web and said, "hey, how can we screw this up?")

Re: Deliveries [..] won't start until the week commencing 10 February

Eh, full stops would have turned a mildly entertaining rant into a feeble and pointless one.

In its present form, I have a nice mental image of AC gasping and clutching his¹ side, having just run a mile to deliver this urgent news to us in a single sustained, gasping outpouring of barely-discernible words.

¹Going with the most probable pronoun here.

Re: More foaming at the mouth from Republicans

We're talking about Liz Cheney here, whose definition of "freedom" is "the right to do what I think you should do".

This is a woman who publicly attacked her own sister's marriage to another woman, and equated criticizing Trump with treason. Except when it involves hunting wild animals, she's never been big on promoting freedom, at least as any rational person understands the notion.

Re: Just wondering...

But less profitable.

Re: Secure Proccessors for sale - $100 each

The original SPECTRE paper demonstrated in-browser attacks, as did the Zombieload paper.

Multi-tenant is at risk. Privilege boundaries are at risk if you have an RCE in an unprivileged process. Enclaves are at risk (though, seriously, fuck enclaves; do they have a real use case other than DRM and spyware?).

We haven't seen in-the-wild exploitation of these vulnerabilities because:

1. Disclosures have been embargoed until the most prominent targets could be remediated. That's what happened with the browser-based exploits for SPECTREv1.

2. We have no shortage of easier-to-use exploits for untargetted attacks, and frequently for targetted attacks as well.

3. Microarchitecutural exfiltration attacks are hard to detect, so they may well have been used in targetted attacks without anyone being the wiser. Just like we have no idea how many victims there were for Heartbleed.

Re: Auditors....

IIRC, he admitted he didn't read the preliminary due-diligence report. He pushed the sale through before the final one could be completed.

Re: Boo-hoo what a shame

Damn. That's from 2002. Google was only 4 years old; Facebook didn't exist yet. Amazon's collaborative-filtering recommendation system had only been patented a year earlier (US6266649). While the general direction may have been clear to those who were paying attention, that's still a marvelously prescient story.

(Pretty funny too. I chuckled audibly at the Burger King line.)

Thanks for the link.

Re: "using photos of millions of people in Illinois without informing them"

Grab a dataset (or photos) from the web without checking the law, copyright, etc

In this case, IBM only scraped photos which explicitly had a liberal CC license applied.

It seems to me BIPA and CC are in conflict here. I have no idea whether BIPA makes the right it establishes inalienable, or whether it can be waived by a license such as CC. (I haven't looked at the text of BIPA.) And I wouldn't want to even hazard a guess as to how courts would find. But I don't think this is a clear case of IBM deliberately violating the law, since a reasonable interpretation of some CC variants would allow what they did.

Re: Old news is good news

Valuable as RFC1984 is as a position statement, I don't think it does explain why "key escrow is fundamentally broken". It expresses a position which is fundamentally opposed to key escrow, but while I agree with that position for most applications,¹ I don't see how it constitutes an argument that escrow is "broken". In cryptographic research, "broken" is a term of art that implies a rather stronger test than "no sir, I don't like it".

¹There are a number of specialized applications where key escrow is a useful aspect of the protocol, under certain threat models that are reasonable for those applications. Filesystem encryption of organization-owned equipment, where keys are held in escrow by the organization's IT department, is one example. Private communication among private citizens is not one of those applications.

VMWare - eat ya heart out!

Eh, IBM's VM was doing full virtualization in 1972. Even if Intel had some dream of CP/M virtualization with the 8088 (which I tend to doubt), they wouldn't have been first.

Nor would Magic Unicorn Storage do anything to make a dumb-terminal alternative to the smartphone useful when you can't get a connection.

Re: Colour me cynical

It provides cheap way to seal the phone from the environment.

Not as cheap as putting the phone in a ZipLoc bag.

Re: Hmmmm...

outside ARPANET (and possibly early versions of JANET) it wasn't really used

I don't believe that's true. While other protocol families such as DecNET, SNA, and XNS were also still common at the time, even in the first half of the '80s TCP/IP had a significant share of local networks and small-i internets in academia and some businesses. The CMU/IBM Andrew Project was always TCP/IP-based, for example, and it started in 1982. The same was true of MIT/DEC/IBM's Project Athena, which started in 1983. I think BSD 4.1a with TCP/IP came out in '82.

For the big-I Internet, besides ARPANET there was CSNET (routing TCP/IP over X.25, starting in 1981), NSFNET (1986), and others.

Wikipedia says JANET (an X.25 network) didn't start routing IP traffic until the 1990s. BITNET, a prominent US academic network, and IBM's VNET (the largest internet in the world until it was surpassed by the TCP/IP Internet sometime in the '80s) ran on RSCS, a pre-SNA IBM protocol. RSCS was a store-and-forward protocol somewhat like UUCP.