* Posts by bazza

1920 posts • joined 23 Apr 2008

FreeRADIUS fragged by fuzzer – by invitation – and fifteen fails found

bazza
Silver badge

“C is a terrible language for security”.

Only if written wrong...

RUST is looking quite cool. There's a growing and strong argument in favour of re-writing lots of stuff in it.

There's a whole OS (redox?) coming along nicely, with a kernel written in RUST. The speed with which it's been written is pretty impressive.

The language seems to be a happy balance between ideas taken from high level languages and being a suitable systems language.

4
4

The curious case of a Tesla smash, Autopilot blamed, and the driver's next-day U-turn

bazza
Silver badge

Re: Hmm

Agreed. If Tesla were stupid enough to bribe someone who is the subject of a minor police enquiry, when it'd be oh so easy for the cops to obtain the data through a warrant, they would be risking that enquiry becoming a major affair. I can't believe that the company would do that.

Nonetheless I suspect that the police department is now going to request the data. If it's missing (for example, there was no cellular coverage in the area), then things could become more interesting... No coverage gives Tesla plausible deniability, and an enterprising police department might want to explore the depths of that.

Anyone any good at data forensics on Teslas? I mean, apart from Tesla?

On the whole though it sounds like Autopilot was off. If they've leaned on the guy to change his tune, they did so pretty quickly and that probably means they do have the relevant data in their servers. They may well have already furnished the police department with a copy of their data; we just haven't heard that part of the story yet.

16
1

Pastor la vista, baby! FCC enforcers shut down church pirate radio

bazza
Silver badge

Re: I wouldn't say it was ALL downhill.

And Kenny Everett. Briefly. Several times. They, like everyone else, we're serial Everett hirers / firers.

Sadly missed, both of them.

We could certainly do with Kenny's documentary series being back on air. I reckon some world politicians would be appalled at the continued atrocities being committed by the Thargoids, and would set out to do something about it. That's something we need them to do.

4
0

UK spookhaus GCHQ can crack end-to-end encryption, claims Australian A-G

bazza
Silver badge

What we should be asking is how they intend to PREVENT messages such as im.qq.com from being secured

If it's ad funded, the law can go after the advertisers, and ultimately the law can go after the telcos and ISPs too. The software may exist, but it can be made unprofitable and, perhaps, its servers unresolvable.

For example, the Google boycott that started in the UK and spread has shown governments all over the world how to get a grip on online services. It became socially unacceptable to advertise on Google, so Google lost some revenue. If that social unacceptability became law, the boycott is country-wide and they lose even more money.

Cue lots of talk of extra moderators and AIs, all across the industry. Will it be enough? Who knows, but they need to try hard. One day it could be that if WhatsApp annoys the cops in a country, Facebook risks losing all advertising revenue in that country.

If enough countries get fed up with a particular service's uncooperative responses to law enforcement warrants, their money stream gets cut off.

It's a cunning tactic. End users don't notice, apart from the lack of ads.

It's a disaster in the making for the social networks because they really cannot trust their users to self moderate, so they have to do it instead. This kind of governmental pressure on their revenue stream is only going to increase. For example, Gov wants to clamp down on on line bullying? Make it socially unacceptable to advertise, pass a law to back that up. Facebook's (or whoever's) AI and moderation systems will have to get better and better, which sounds more and more expensive.

Now, if they knew for sure who their users actually were, that's a different matter. The buck can be easily passed is a user is legally identifiable.

4
13

Guess who doesn't have to pay $1.3bn in back taxes? Of course it's fscking Google

bazza
Silver badge

Re: Change the law, then

France can change the law by ruling what they consider is taxable. The eu law says sales cannot be taxed twice. If they rule there is one contract with ireland and one with france then they can tax each service once.

They might rule that, but there is no actual contract made with Google France. That's effectively what the French court ruled.

It would be pretty difficult for French law to say there is a contract in France when no agreement is made in France. There wouldn't be a piece of paper with Google.fr on it to point at. There wouldn't be a financial transaction in France to point at. It would be a stupid law that says something exists when it plainly doesn't. What would the law do, magic such a piece of paper into existing?

The only thing that does exist is a flow of cash moving from French bank accounts to an Irish company. That could be taxed.

But to tax that flow is the imposition of a services trade barrier with Ireland, something no EU member nation can do according to the treaties they've signed. France could withdraw from the treaty if they want, but that is FREXIT.

Or they could persuade the Irish to not tax it, but that doesn't sound like a good idea for the Irish balance of payments. Can't see that happening.

3
0
bazza
Silver badge

Re: Change the law, then

Can't change the law. It's not their law that matters.

Effectively the French court has pointed out that the French government cannot do anything about it. They cannot even make a law change that will have any effect. The relevant legal / tax jurisdiction is Ireland, and France's impotence in the matter is a consequence of the EU treaties that France is a signatory to.

The only change France can definitely make that allows them to redress the imbalance is to prevent free trade of services and goods, AKA FREXIT.

Of course, they could try and renegotiate the whole of the EU trade arrangements, but that'd be very difficult.

If we think BREXIT is dramatic, we've not seen anything yet. The spectre of protectionism in Europe and across the world is looming. Some people will be better off for it. Most won't be.

The idea behind free trade is to spread the cash round, bring everyone up to a similar level. It doesn't work if mega corporations simply accumulate cash, taking it out of the world economy altogether (Apple's cash pile, etc). Free trade is being allowed to become socially useless.

4
4

Ubuntu Linux now on Windows Store (for Insiders)

bazza
Silver badge

Re: But...

Shouldn't Canonical object to this misuse of their trademark?

Apparently they gave it their blessing. But as their stuff is open source and freely available, fork-able, etc there is nothing they could do to stop it anyway. Bit like CentOS vs RedHat.

1
0
bazza
Silver badge

Re: But...

Oh, sort of Wine in reverse then?

Not really. WINE emulates win32.dll, and other high level dlls. These are exclusively used by Windows binaries to access kernel services. The reverse of WINE would be sort of like a reimplemented glibc.so for Windows.

This is a Linux kernel system call shim for Windows. So a real Linux binary calls a function in the real glibc, which in turn makes Linux kernel calls just as if it were really running on Linux. And the shim translates that into the equivalent windows kernel call(s).

Reasons

The reason why Wine does what it does is because the Windows kernel system call interface has never been published. So they had to emulate the next layer up (win32.dll).

Because the Windows kernel system call interface is not public, no one can do a windows kernel shim layer for Linux. Apart from Microsoft.

Which is exactly what they're doing with their port of SQL Server to Linux. Instead of using Wine or doing an actual source code port, they're emulating the Windows kernel on Linux.

Consequences

Ultimately this kind of abstraction of kernels will mean that people will stop caring about which kernel they're running. In theory you could construct an OS that looks like Ubuntu, smells like Ubuntu, feels like Ubuntu, but just happens to have a Windows kernel and Windows drivers instead of the Linux kernel and it's lesser set of drivers.

If MS were giving the kernel away for free so that the Linux Distro companies could do this if they wanted to, such frankenOSes could be quite useful. All the same freedoms as commonly enjoyed now (who ever really does their own kernel hacking? Not many...), but with rock solid driver support. The Linux kernel community might care for GPL2 and open source purity, but quite a lot of people just want an OS that works on their hardware for free.

5
0
bazza
Silver badge

Re: new fangled Windows Subsystem for Linux

Essentially 21st C version of the old MS Services For Unix, slightly updated.

It's not even remotely close to being that.

if you want to dual boot, or run Ubuntu in a VM on Windows (the reverse is better), then get Ubuntu or any other Linux distro (or BSD etc) in the normal way.

Why bother? If an Ubuntu user land installation cannot tell the difference, why both dual booting or going the whole VM route?

3
0
bazza
Silver badge

Re: But...

This is the new fangled Windows Subsystem for Linux. It allows linux binaries to natively call their expected APIs under a windows OS, through a very lightweight translation layer.

To add to that excellent post, it's basically the same trick that Solaris, FreeBSD and QNX also do to support Linux binaries.

It works so long as the Linux binary is compiled for the same CPU that the OS is running on. So Solaris x86 can support Linux binaries so long as they were also compiled for x86. QNX can do it on ARMs.

3
0
bazza
Silver badge

Whoops! Typo

Yes^hars.

Thank you for your forbearance.

2
0
bazza
Silver badge

Regarding your latter point, that'll be leap yes only...

10
2

LHC finds a new and very charming particle: the Xicc++ baryon

bazza
Silver badge

Re: Awe

I would offer them a beer but I suppose they would be too busy looking for the next quantamy quarky higgs thingy to come along.

Nope, beer works well no matter what, offer away!

In fact beer was the inspiration for the bubble chamber, a now sadly obsolete detector type that used vast quantities of superheated liquid hydrogen to form bubbles around the tracks of particles which were then photographed.

0
0

U wot M8? Oracle chip designers quietly work on new SPARC CPU

bazza
Silver badge

Re: Scale

What's age got to do with it?

There's features in Solaris that Linux is still trying to replicate. ZFS is one of those.

Sparc/solaris clearly matter to enough people to make comparisons to Intel / Amd / Linux / Windows irrelevant. They want it, Larry's selling it. Or maybe Fujitsu are.

IBM is similar. There's enough niche applications for which mainframes based on POWER are ideal to be worthwhile making them. For example POWER, with its decimal maths coprocessor, is fantastic for currency exchange calculations. Some people want to do a lot of those ultra reliably every day of the year.

7
1

Zero accidents, all of your data – what The Reg learnt at Bosch's autonomous car bash

bazza
Silver badge

Re: Zero accidents?

Yes, that's kind of the problem behind the whole self driving car "bubble". It is impossible to achieve whilst guaranteeing that there will be no accidents.

The only way to achieve it with technology we have now or at any point in the next 100 years is to turn all the roads into closed access, no bikes, no motorbikes, no pedestrians, no horses, no human driven cars, fenced off zones with standardised carriage widths, zero potholes, no fog, no snow, no heavy rain, no flooding, no fords, no ice, no deer running across the road, etc. We already have those, they're called railways (e.g. Docklands Light Railway in London). Except there we use steel tracks and wheels instead of tarmac and rubber and they don't mind fog or rain or deer so much, they don't have potholes, but admittedly do seem flummoxed by the wrong sort of snow, leaves, etc.

In short, a certifiable self driving autonomous anything needs to have an artificially controlled environment kept clear of any hazard or risk that cannot be controlled by the system designers.

There's a serious amount of money being put into this bubble by a lot of badly advised investors. For companies like Bosch it's slightly different - it gives their engineers something to do when they might otherwise be twiddling their thumbs.

I think that at best the thing that will come out of this whole thing is a super-advanced cruise control that still needs a sober licensed driver paying attention sat behind the steering wheel. Trouble is that that is of very little appeal in the car market. For example, who'd genuinely pay £10k (guessing the premium here) extra for a system that still can't drive you home pissed after a decent night in the pub? That's a lot of taxis. And for a long time to come the price of all this equipment is going to outweigh the total cost of most cars anyway. Doesn't bode well for the mass marketing of these things.

This bubble will eventually get burst. The ones who are first to do their systems engineering and certification engineering properly, and some decent market research to see the true sales potential of a partial solution, will get out and sell their project to one of the other big players.

12
2

While USA is distracted by its President's antics, China is busy breaking another fusion record

bazza
Silver badge

Re: let me guess...

Hmmm, well apart from the failed efforts back in the 50s, 60s, the progress has been ahead of track since the 1970s. The JET project in Culham in the UK exceeded its research objectives, and that has now been expanded into the ITER project. There is a plan, but it is quite a long plan, but for the past 40ish years it's been running according to (or better than) plan. More or less.

ITER won't produce power, but it is aiming to be able to sustain a plasma. Once that's achieved, fusion power is a certainty, not a hope.

34
1
bazza
Silver badge

Re: Worse..

If the Chinese can crack it they will be absolutely flooded with every possible malware the US can throw at it...

Sensationalist clap trap.

China and the USA (and Russia too) are members of the ITER project. China is helping build it, just like everyone else. Even the Iranians are talking of joining in. As member nations, they all have equal access to the intellectual property developed by the project. A lot of the other projects are in support of the joint ITER effort, as is the norm with large, international, collaborative scientific research projects.

ITER is too important to be cocked up by politicians. One can only hope that Trump doesn't decide that America is too important to mix it with the Old Foes.

35
1

Create a user called '0day', get bonus root privs – thanks, Systemd!

bazza
Silver badge

Re: POSIX

I can't have 1234 as my username. That's my password.

Hang on a mo, I'll just log in and change it for you.

There, how's that?

2
0

Microsoft boasted it had rebuilt Skype 'from the ground up'. Instead, it should have buried it

bazza
Silver badge

Re: Market research

@IsJustabloke,

"Carrying 2 phones in this day and age is nuts,"

I couldn't disagree more strongly with this sentiment!

my phone is *my* phone I don't want work shit anywhere near it. So what if I have two phones? it's not like they're the size of a brick. At the end of my working day I throw it in my lappy bag and walk away.

Ah, well that was the beauty of BlackBerry Balance on BB10. There is a cryptographic separation between work apps, data, calendars, email, contacts and your own personal apps, email, contacts, etc. The cryptographic separation is pretty good, and has a lot of approvals from DoD, MoD, etc. Work could remotely control / wipe their partition, but had zero ability to see, wipe, or control the personal partition. You couldn't copy / paste from work apps/email to personal apps or email, and vice versa.

The result is that Work can be confident that their data won't leak through your personal accounts and apps, and you could be confident that work cannot see or control your personal stuff. If you want to boot work off it altogether, simply signing out to sever their connection and wipe all the data.

Fence Sitting

The best bit is that OS's own calendar app could sit on the fence between the two partitions, and see down into both your work and personal calendar, so you could easily manage personal and work appointments even though neither calendar backend is aware of the other. Similarly for the email client, contacts, etc.

This is the feature that many other mobile management packages lack; you have two separate calendar applications to check before making appointments, two places to look for email, two places to look for contacts, etc.

Two Phone Numbers All At Once

BlackBerry also bought a company that did something clever with virtual sims. So you could have a work number live and dialable that will connect to your phone, whilst your own personal number on the phone also works. AFAIK you could block the work phone number whenever you wanted.

I think you could also turn off notifications from the work side. You get to 5pm, and switch off the work partition and number, and no one else can do anything about it.

Too Clever

All in all it is a pretty sophisticated approach to BOYD, with a far high level of functionality than things like Knox, or IronMobile. It allows the handset owner to strike the balance they want between work and not-work, and be in control of their stuff without having a free reign over the work stuff.

But the number of people who could be bothered to see if anyone had done anything more sophisticated than Google or Apple is quite low, and still fewer were in a position to be able to persuade bosses of its merit.

That type of technology is something that genuinely helps working people have less stuff to carry and have an easier time running their lives. Trouble was that Google and Apple have shown the world that you can make $100billions by simply the needs of working people.

5
0
bazza
Silver badge

Re: Market research

@nymike,

That's the consumerization of tech, that's how the iPhone also ate BlackBerry. And it's not always a bad thing, if it brings more money for increased development spending etc. (People preferred the iPhone over BB because it was better!) But, you have to do the consumerization right. Apple 1, Microsoft 0.

BlackBerry's response to iPhone, BB10, has some marvellous technical features that make for a really good BYOD solution. The problem they had was:

1) Apple had already "educated" people as to what to expect from a smartphone, so neat technical solutions to the BYOD problem didn't get any interest,

2) it was too late.

The results are that these days, certainly where I work, everyone has a work mobile and a personal phone. Carrying 2 phones in this day and age is nuts, but that's what most British workers with a need for a mobile phone end up doing.

Apple could buy BlackBerry really easily, absorb that tech, but the results consumerisation are clear; there's no real money in supporting business users anymore.

We see it in other areas. BlackBerry Travel is a superb app, and always has been since long, long before iPhone and Android came on to the market. If you and colleagues did a lot of travelling it was fantastic - it managed all your flights, hotels and car rental, kept you up to date on delays, etc. It would even tell you which gate to go to before the airport's own displays. It still works today, but is being shut doing this September. Apparently the company behind it, WorldMate, are deciding there's no future in competing against Google's equivalent. But in comparison, Google's equivalent is a poor, poor imitation.

BB10 Skype

On the plus side, Skype on BB10 (a warmed up version of the Android skype) is unchanged. Doesn't work amazingly well, but works well enough and doesn't make a fuss about it.

8
0
bazza
Silver badge

If they can do this to a simple thing like Skype, what might they do to Office?!?!

32
0
bazza
Silver badge

Re: It's Great!

So it's attempting to say, "pay attention to me, not the person you're talking to"?

I'm not sure that MS have fully understood this communications thing...

15
0

SpaceX halts Intelsat 35e launch twice in a row

bazza
Silver badge

Re: Violation Of Abort Criteria

It is certainly a "no shit, Sherlock" excuseexplanation. It's not like there's anything that's allowed to look a bit iffy, launch anyway, it'll be fine.

1
0

Google DeepMind trial failed to comply with data protection – ICO

bazza
Silver badge

Fixed?

"We accept the ICO's findings and have already made good progress to address the areas where they have concerns. For example, we are now doing much more to keep our patients informed actually bothering to write to our patients to tell them that we slurped their data and about how their data is used. We would like to reassure patients that their information has been in our control at all times and has never been used for anything other than delivering patient care or ensuring their safety, but as much as we'd like to do that it's doubtful that they'll have any reason to believe us and will likely win if they choose to sue"

I'd that a good enough fix?

5
0

Intel AMT bug bit Siemens industrial PCs

bazza
Silver badge

Re: " It..checks the number of characters of password received against the actual password,

Just to be clear you're implying that they don't even check the actual password against the entered password? Are you sure that's what you mean as that's a real "WTF?" moment right there.

Unless things have changed since I last read about it; they do check the entered password against the set password, but only if the entered password has more than zero characters. Give it a zero length password and it thinks that everything is a-ok. It was down to a misuse of the strcmp() function.

It's a serious cock up. Knowing the basic architecture and functionality many people have been theorising able the possibility of this kind of bug, but this was an absolute peach. There's going to be more I suspect.

1
0

How to pwn phones with shady replacement parts

bazza
Silver badge

Re: Error 53

I sometimes wonder if people ever stop and think about why phone manufacturers like Apple are fond of sleek, smooth materials like glass, used in places where glass is not required.

Looks nice? Sure. Breaks easily? Fairly easily. Encourages you to buy a new one when the back of your old one is trashed? Yes.

They're certainly not made for durability, which plastic is actually much better at.

Not that durability requires plastic. When Apple had the opportunity to move over to sapphire glass, which is nigh on indestructible, they decided not to. Part of that decision might have been the motivation to not make a phone that really would last forever.

3
1
bazza
Silver badge

Re: Error 53

I think partly yes, and then again no.

It's possible, so guarding against it is a good idea.

On the other hand, the cost/reward ratio for someone doing this isn't that favourable. You'd have to do some serious bank account drainage to make it worthwhile I suspect. And if it became a common thing people would simply stop using the dodgy repair guys, lesson learned.

I think Apple's reasons were more related to revenue "protection".

3
2

Not that scary or that hard: Two decades of VLANS

bazza
Silver badge

VLANS Are Useful

That is all.

0
0

Australian regulator will decide if Uber drivers are staff or contractors

bazza
Silver badge

At what point do the VC investors pull the plug? The way things are going they're going to burn through all the money and have nothing to show for it except for a lot of disgruntled drivers, a poor reputation as a company and possibly a whole bunch of unpaid fines. Not very good material around which to build a compelling IPO...

They’ve been going for a while now, and AFAIK there's little evidence to suggest that they can ever be profitable. Why waste more money on it? If they closed down Uber now, they wouldn't have to pay redundancy to all those drivers who look like becoming staff in the near future.

1
0

Don't panic, but Linux's Systemd can be pwned via an evil DNS query

bazza
Silver badge

Re: Hang on, all y'all ...

Unfortunately most anti-systemd trolls are childish and couldn't code their way out of a paper bag

No. A lot of people had already written a ton of perfectly good code, which RedHat/Pottering then consigned to scrap heap using their control of another key project to force everyone else to follow suit, replacing it with a pile of code that has repeatedly been shown to be full of security flaws like this one.

RedHat / Pottering might be able to code their way out of a paper bag, but their strategic decisions have put everyone including themselves inside several thick hessian sacks tied at the neck. It's going to take a long time to get out of the sacks.

GNOME may as well be closed source.

Anyone through about re-doing systemd in Rust?

21
0
bazza
Silver badge

Re: Hang on, all y'all ...

The point is that someone, and we all know who, has used their corporate position (i.e. control of the Gnome project) to force a big pile of code onto the rest of the Linux world, and has made the classic mistake of making it do too much, for no good reason. For example, what earthly reason is there for an init system to be providing a dns reverse lookup service?

By unnecessarily replacing lots of existing working code with a lot of new code, it's inevitable that there's a shit load of vulnerabilities. These are going to take decades to find and fix. And because of the unnecessarily wide scope of systemd and it's privileged position in an OS, bugs are potentially dangerous.

And because a ton of scripted code has been replaced by a ton of C code, arguably there is more classes of bug (like buffer overruns) to be worried about.

This has been a backward step in system security. It will be a long time before we can trust it. There are very large groups of bug hunters out there who have every intention of using them for malicious purposes, and systemd is great for them. Even if Pottering can point at an empty list of issues for systemd, that doesn't mean there are no security bugs.

66
1

Search results suddenly missing from Google? Well, BLAME CANADA!

bazza
Silver badge

Enforcement is easy enough. Fine Google. Or if Google takes its corporate presence outside of Canada, pass a law banning Canadian companies from using their advertising services and fine them.

The ad boycott that started in Europe caused Google to lose cash. That's when they started paying attention. It became immoral to advertise on Google, something advertisers don't like, so they withdrew their accounts.

Imagine if it also became illegal?

The world's legal systems haven't really even begun to catch up with the implications of dominant global online services. In the meantime Google especially (and a few others) are making a ton of what could be described as dodgy money. The Europeans are more active at working out whether what they're doing is actually legal and openly competitive, and increasingly they're finding against Google.

Now Google is a wealthy company and should be able to anticipate some of these rulings. They know they're the dominant player, and consequently it is inevitable that some of their website features will attract attention. Now they have to explain to their shareholders why their American style business strategy was the best one to use globally. It wasn't, it's costing shareholders money, and it looks like it's going to get worse.

11
2
bazza
Silver badge

Re: Does this mean...

...all heck will break loose.

Doesn't sound too bad. Does it tickle?

10
0

Google hit with record antitrust fine of €2.4bn by Europe

bazza
Silver badge

@Ken Hagan,

Intel and Microsoft also changed the world for good. If you are too young and uninformed to remember or know how, I suggest you do some reading up on how the world was back then. If they have both become fat and lazy and exploitative in recent years, well they are in good company: Google have gone the same way.

At least AMD seem to be giving Intel a hard run for their money again. Competition there is good at the moment. Intel have totally failed to dominate the mobile CPU market. MS dominated with Windows, NT, domains, and then Active Directory. The fact that they got forced to open up those protocols (for a modest fee) was a good thing. The Samba team got the funds together, and that means that there is now an increasingly viable alternative to Windows Server for domain administration. That too is a good thing. MS office doc formats are publicly available, another good thing they were forced to do.

My point is that, yes, Intel and MS have pretty strong positions, but there has been regulatory intervention, even in the USA. Whether there's been enough or not, I don't know. However with Google there's seemingly nothing they can do that annoys the US regulators, which seems worse than the situation we had / have with MS/Intel.

4
0
bazza
Silver badge

Re: If you were to invent a really great device...

@Doug S

"What percentage of all advertising is a recently invented really great products that most people haven't heard of yet, versus the assortment of me-too products that bring nothing new to the table, useless products that bring nothing at all to the table, assorted scams that are a drain on society, or worst of all, political ads?

I'd say about 0.1% or so is really great product you haven't heard of, at a guess. And I'm probably overestimating at that!"

Your analysis is probably right. Advertising is, to some extent, corporate blackmail. "If you don't advertise with us, we'll make sure that your competitor does". I'm sure it's not said like that, but that's what all publicity departments feel like.

The problem these days is that Google and everyone else have invented a whole new vast array of "places" where adverts can appear. Pre-Internet, there were only so many bill boards, only so many magazines / newspapers, only so many TV channels / ad stops mid show. Nowadays there's practically every single web page on the bleedin' planet, with the notable exception of Wikipedia and the BBC. Google of course are responsible for a big chunk of that; too responsible in fact, according to today's ruling and €2.4billion fine from the EU.

According to the UK Internet Advertising Bureau here UK online advertising is approx £7billion per year. Acknowledging that all advertising is ultimately paid for by consumers, performing some crude calculations on that is quite revealing. £7billion / 60million people = £116 per person per year. Working that out for just wage earners, I reckon that's close to £280 per year, extra money spent on things we buy simply because they're advertised online. Apparently non-internet advertising is about another £7billion, so all told we're spending something like £560 per year just on being advertised at.

Of course, that's a crude analysis, but it's kinda hard to argue with. Advertising doesn't look like good value for money when looked at that way. If one were to ask anyone on the street whether they'd pay £280 per year to use Google search, maps, mail and a few other websites, having already spent £700 on a phone, I doubt there'd be many takers.

I'd quite happily pay £12 per year to use El Reg, ad free. I bet that'd be more than the dear old thing earns from me through ads (and I mostly don't run an ad blocker on El Reg).

4
0

Linus Torvalds slams 'pure garbage' from 'clowns' at grsecurity

bazza
Silver badge

Re: Linus exhibits all the qualities of pure sociopath

If it wasn't for him, we'd be limited to Windows, and maybe what OSX would've been.

That's very doubtful. FreeBSD's origins predate Linus's efforts, and FreeBSD's itself first hit the Web very soon after Linux. Had Linus studied the History of Art instead, FreeBSD would have come into existence anyway (it was well on the way to completion). FreeBSD is pretty good.

Then there's the NetBSDs and OpenBSDs of this world.

You're also ignoring some perfectly good commercial OSes; QNX, INTEGRITY, VxWorks are all excellent. QNX in particular is quite interesting, in theory it's capable of being the basis of a desktop OS (you could use it like that back in its very early days). INTEGRITY could too, though that would be a massive piece of work. VxWorks is well and truly stuck in the world of embedded systems, but is (like the others) pretty good at what it does.

3
0
bazza
Silver badge

Re: SELinux is not the answer.

I am no SELinux expert, but isn't one of its problems that it can be configured badly, to the point of uselessness? Of course, "configure", "badly", and "uselessness" are all very subjective words, everyone has different requirements...

Doesn't BlackBerry's spin of Android run GR patches? If so, anyone know whether it has resisted exploits that have worked on other flavours of Android? Linus might not like the GR guys, but if their code is working then there must be some merit in it.

4
0

AES-256 keys sniffed in seconds using €200 of kit a few inches away

bazza
Silver badge

Re: AES was not cracked, cut the click bait

@Mage,

But most of the worlds encryption users are now running ARM based phones or tablets. The majority of x86 are either work related laptops or in server rooms and now seriously outnumbered by ARM based gadgets etc.

Whilst that's true, there's still an effort / reward balance to be considered.

Look at Oyster cards on the London Underground. Are they the ultimate in security, the most impenetrable of contactless subway ticketing, proof against nation states and even capable amateurs? No. Do they need to be? Not really, it costs more to clone / hack one than the cost of just paying the fare.

So yes, it might be that someone could build a sniffer the size of a ruck sack, and start picking apart keys on random communications decrypted by crypto co-processors commonly found on, say, ARM SOCs in phones on the tube, in a coffee shop, or IoT devices in someone's home, etc. But to what purpose? I don't really see the point. It'll still be a needle in a haystack, and even if a phone is only moderately well screened (like they probably are to pass EMC accreditation), there's little prospect of being able to make anything of it.

Certainly if it ever became a problem it's so easy to counter it.

2
2
bazza
Silver badge

Re: AES was not cracked, cut the click bait

Indeed. I feel they set this up to succeed.

Nothing wrong with that of course, but it would have been far more impressive had they pulled off the same trick against an x86 server running a busy workload as well as doing crypto operations. There would be far more background noise to obscure a useful signal. Also due to the mixed workload there's not likely to be an obvious signal to latch onto in the first place. And it'd have a metal case.

Therefore I don't see this result leading to any changes in practices. If there's someone who can get within a couple of meters of one's infrastructure then you've already got a problem. Installing a keyboard logger or something else like that sounds more productive for the attacker.

14
0

Florida Man to be fined $1.25 per robocall... all 96 million of them

bazza
Silver badge

I think he should be made to listen to each and every single one of those 96million calls too.

7
0

Not Apr 1: Google stops scanning your Gmail to sling targeted ads at you

bazza
Silver badge

Re: Spamfilter to be crippled too?

You mean the one they got by buying Postini? The one that became worse once Google got their hands on it? That one? It's OK, but they made some needless changes that then made it harder to integrate, and harder to use. And a paid for, unscanned anti spam service became just as paid for but with added scanning for ad data mining.

I doubt this change will alter the spam filtering aspects of their service. It's a completely different scanning process (not looking for key words, just looking for commonality between emails, and specific patterns in binaries, etc.

1
3

F-Secure's Mikko Hypponen on IoT: If it uses electricity, it will go online

bazza
Silver badge

It's simple really, they're a vast company and can afford to do it properly.

A lot of these IoT things are being done by quite small companies without the long standing software dev team who's only job is to keep up with Linux patches, etc. It's make it work, sell it, abandonware it ASAP and move on.

Belkin seems to be fairly well behaved too.

0
0

In the Epyc center: More Zen server CPU specs, prices sneak out of AMD

bazza
Silver badge

Re: That SEV mode looks really interesting

They just have to not check the box for encryption.

Fine, provided the hypervisor writers remember to make that a checkable option...

On the topic of hypervisors, it does open up a new avenue for malware. Malware could stand up its own hypervisor, with encryption enabled, or use a hypervisor offered by the host OS, and run its paylaod in that VM. There's then nothing the host OS could do about looking inside that VM. There's plenty of reasons why malware wants discreet, unobservable runtime on someone else's hardware.

0
8
bazza
Silver badge

Re: That SEV mode looks really interesting

This harks back to some work done a long time ago. AMD opened up Hypertransport, meaning that any old Tom, Dick or Harry could make silicon that could plug into an AMD socket.

And people did, well, at least they did FPGA modules that could plug into a second CPU slot. I'm sure that one of the things someone did was to turn the FPGA into a RAM encrypter. Looks like AMD have moved that functionality over into the main CPU's memory controller.

It's an interesting idea that the hypervisor cannot see inside the VM. The IT security researchers won't like that particularly - they use VMs as a way of studying viruses, trojans, etc, relying on the hypervisor being an unseen God mode stealthy observer of whatever happens inside the VM. Meanwhile the malware writers go to a lot of effort to ensure that their malware detects a virtual environment and deletes itself, to prevent the whitehats unpicking the malware.

However, if SEV mode becomes commonplace, it might give the malware writers an unexpected advantage; the whitehats might no longer be able to see inside the VMs...

0
15
bazza
Silver badge

I doubt it has been open sourced.

Perhaps the more important thing is that hopefully they've not made the mistake Intel did - connecting a system management microcontroller running an opaque binary blob with complete access to everything to the machine's Ethernet, and then finding that they'd fucked it up...

8
1

Uber CEO Travis Kalanick has resigned, says report

bazza
Silver badge

Don't. Just. Don't. Mention. That. Possibility.

On a more serious note, there's now an infamous ex CEO on the loose, and the passage of time will diminish that to merely "heard of him, must be good". He will end up being someone's boss somewhere at some time in the medium term. So now we're all kind of playing CEO roulette...

14
0

Microsoft admits to disabling third-party antivirus code if Win 10 doesn't like it

bazza
Silver badge

Re: Nothing new under the sun

Sadly these days MS seems to be responding, "our lawyers are more expensive than your lawyers, and we can afford to keep them busy for the rest of eternity".

Doesn't mean they win, but they do seem prepared to go to court against their users!!!!! Customer Relationship Management at its finest...

33
2
bazza
Silver badge

Re: Admission

There is one aspect of old AV software that is worth remembering. It has complete access to the entire system, and it can itself become a vector for infection. We have already seen this, where the AV software's update mechanism could be turned against it and used to install malware.

Let me see, which one was it that had that problem. Ah yes, MS defender!

It would be highly weird if MS used that particular example as part of their defence against Kasperky's case...

That doesn't mean the point is invalid. Old AV software can be very dangerous if exploitable bugs are found. If so, removing it is likely better than leaving it running. But MS declaring it to be actually dangerous simply because it old is probably a step too far.

What seems totally indefensible is MS managing what apps install or not based on some weird perception of compatibility. An application is either compiled for Windows, or it's not. MS's criteria seem to be covering other aspects of applications (colour scheme?).

I could understand it a tiny bit if an application was using a deprecated API call. If that's the case then they should put up a dialogue box saying so, or just complete the deprecation process by actually removing the API call from the OS. That would break the application, but at least there'd be a trail of notices to developers giving fair warning.

I'm a long time Win 7 user. If Apple sort out their hardware line up I'll be heading for Mac land when 7 drops off support.

20
1

Google may follow Apple, design mobile chips in-house

bazza
Silver badge

Re: "Android multitasking is dire. Still can't match BB10."

Another BB10 diehard here...

If Google are so keen on the microkernel idea (Project Treble), why don't they just buy BlackBerry with a bit of loose change and actually get hold of a proper, solid and highly respected QNX microkernel OS?

If literally every manufacturer is going to have to re-write their drivers for Treble, why not re-write them for an actual microkernel OS instead, make a complete break with Linux? The rest of the task is, in comparison, fairly straightforward; it's another POSIX compliant unix-like OS environment, recompliation of Android's userland doesn't seem too great a task, especially as Google are also in control of their own application development environment.

0
1
bazza
Silver badge

Re: As they say....

@Dave 126,

"Google are beginning to put the pieces in place so that Android handsets can be effectively updated without the code first going through the chipset and Original Device manufacturers; if it were that easy, Google would have done so years ago because *they* do have a strong incentive to do so."

Yep, Project Treble, a well overdue and welcome development. They're turning Linux into a microkernel. I can't see Linus liking that!

In a way it's an unspoken acknowledgement on Google's part that they seriously cocked up the entire roadmap for Android from the very beginning. It's like they chose Linux "coz it's free and cool", without even beginning to think about the possible consequences. And here we are, years later, with appalling and, frankly, embarassing update problems. No one else in the history of anything even remotely related to computers has ever to build such a large market with such a crap software upgrade path.

Project Treble might start solving some of these issues. What'll be interesting is to see how this plays with the wider Linux development roadmap. It's another split away from the kernel mainstream (bad), but they'll be ending up with a kernel with fewer hardware dependencies (good).

In a way the Linux world needs Linux to go the microkernel route too. This will allow things like WiFi and graphics drivers can be done by hardware manufacturers jealously guarding their IP or not wanting to have an enourmous team dedicated to driver updates every time Linus and chums change anything. However I can't see the Linux kernel development community, or Linux himself, being particularly keen on the idea.

1
0

Forums

Biting the hand that feeds IT © 1998–2017