* Posts by Norman Nescio

301 posts • joined 7 May 2008

Page:

Peak tech! Bacon vending machine signals apex of human invention

Norman Nescio
Bronze badge

Re: The best bacon

In my view, jowls don't count as bacon either, but I seem to have been outvoted on that.

Pigs jowls might also be known as Bath Chaps, a speciality my father much enjoyed.

What counts as 'bacon' may well be country/culture specific, so I wouldn't say you are wrong, but in my culture bacon made from pigs jowls doesn't exist, but as anything made from a pig is usually tasty, I'd be willing to give it a try.

0
0
Norman Nescio
Bronze badge

The best bacon

Is more than 1/8" thick, rind on, has adequate fat, not injected with water and/or polyphosphates, and grilled*. My preference is for unsmoked, but others prefer smoked, which is fine.

Bacon that is so thin that it is translucent, pumped full of polyphosphates and water so it dies by drowning in a frying pan is not bacon, but a transparent grab at profits by the manufacturers.

*If frying, I'll agree with a previous poster that the frying pan should not be too hot. You want sufficient fat to render out before the bacon carbonises, then fry the eggs and bread in the rendered fat. A lot of really good bacon won't give enough fat, so you need to add lard.

19
0

Support whizz 'fixes' screeching laptop with a single click... by closing 'malware-y' browser tab

Norman Nescio
Bronze badge

Re: TUBE

I remember the tricks of getting PCs to ork with dodgy peripherals.

I guess you got used to composing documents sans the use of the letter in the English alphabet that precedes 'x'.

Ernest Vincent Wright could have been a member of staff.

That and the use of Alt+<number entered by the numeric keypad>. I suspect you used Alt+0119 and Alt+0087 a lot. That and the Character Map utility.

4
0

GCHQ pushes for 'virtual crocodile clips' on chat apps – the ability to silently slip into private encrypted comms

Norman Nescio
Bronze badge

Misdirection

While everyone is arguing over encryption backdoors, the Signals Intelligence Agencies are successfully misdirecting people, as you would expect.

Snowden made it quite clear in the Q&A session hosted by The Guardian in 2013 that:

Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.

My emphasis on 'properly implemented'. While the algorithms used by various applications may well be theoretically secure, many implementations are flawed. Good luck in finding a cpu that doesn't have a built in back door ( Intel ME, AMD Secure Technology, VIA C3 "God Mode", ARM TrustZone*) , and, if on a mobile phone, doesn't have a baseband modem with proprietary 'binary blob' firmware which can be updated over the air by service providers that also has access to main memory (and therefore decryption keys). In addition, there are poor random number implementations, and overly bloated libraries with an indefinite number of flaws (OpenSSL) that have multifarious leaky side-channels. It is very strongly suspected the SigInt agencies actively try and influence standards setting committees to subvert and/or make implementations complex and prone to bugs so that groups like the NSA's Tailored Access Operations (TAO) have a range of implementation flaws to work with (See also BULLRUN. Easily obtainable secure end-points for communications do not exist. While everybody argues about the security of data in transit, little attention is paid to the security of end-points, which is a situation I expect the SigInt agencies are very happy with.

It should not be necessary for me to point out I am against terrorism and/or child abuse. That said, as a society we appear to have a hard choice to make: gain the ability for select groups of people in authority to intercept communications between terrorist and/or child abuse conspirators (that ability also subject to abuse and subversion) ; or retain the ability for innocent people to have private conversations. It appears we cannot have both. I suspect that in the long run we will lose privacy. If you look at the use of social media, the cultural norms around privacy have changed hugely in a short period of time, and I would not be surprised for people in the future to make the explicit choice of living in a panopticon, partly justified on the basis of security and for the sake of the children, but mainly simply because it becomes normal to do so, and anyone desiring privacy would be regarded as a misfit.

*Note that a lot of this technology is justified by its use in DRM for media use. Secure channels for playing digital media, etc; and also its use in easing management of large organisations' IT estate. Trusted Computing is about third parties being able to place what they regard as their content on 'your' computer and control it such that you can't do with it what you like - that is they trust 'your' computer to do what they want. Great for Hollywoood and corporate IT departments; and coincidentally great for SigInt agencies.

9
0
Norman Nescio
Bronze badge

Re: Trying reasonableness?

I can't remember the name of it off hand but there's another internet law about satire being mistaken for a serious position. Need something like the joke icon to prevent the misunderstanding.

That'd be Poe's law:

...without a clear indicator of the author's intent, it is impossible to create a parody of extreme views so obviously exaggerated that it cannot be mistaken by some readers for a sincere expression of the parodied views.

25
0

Boeing 737 pilots battled confused safety system that plunged aircraft to their deaths – black box

Norman Nescio
Bronze badge

Rudder, Elevator, Stabilizer, Ailerons, Flaps, Spoilers. That's it. Six things to know about.

I'm so glad we have such experts as you here to advise us.

And there was I thinking that LANDING GEAR might, in some way, be important to the successful conclusion of a flight.

"Any landing you can walk away from is a good one!"

— Gerald R. Massie, U.S. Army Air Forces photographer. Written in 1944 after the crash-landing of his B-17.

2
0
Norman Nescio
Bronze badge

Re: Really?

"This is a computer system designed to prevent the nose of the Boeing 737-Max from pulling too far up and putting the plane into a stall when under manual control. It has nothing to do with the airplane's autopilot."

Nope nope nope nope nope

When machinery is under manual control, it should be under manual control. There is absolutely no reason at all for this system to automatically control the aircraft. For decades aircraft have had the capability to alert the pilot audibly and visually and to even announce recommended action to a potential stall condition as well as a plethora of other potential pilot errors. That's where it should end. The pilot should always then get to decide whether to follow that advice or not.

How the hell did people sit in a room and decide that it was fine to let the computer have the final say?

I can handle the risk of a pilot making a mistake, I know that other than in the rarest of cases they will tey very hard to correct that error to save their own skin.

MCAS is Boeing's solution to the problem of getting the 737 MAX certified as airworthy by the FAA (14 CFR Part 25 - AIRWORTHINESS STANDARDS: TRANSPORT CATEGORY AIRPLANES). The 737 MAX replaced the engines with heavier, differently shaped, more powerful versions that needed to be placed further forward on the airframe. This increased the moment arm of the engine's thrust, which exacerbated the pitch-up when thrust was increased. This meant that at high angles of attack, increasing the thrust could stall the aircraft*. In order to pass the FAA's longitudinal stability requirement, Boeing came up with MCAS, which moves the stabiliser to provide nose-down pitch at high angles of attack to prevent stalling. Without MCAS, the 737 MAX would not have been certified to fly.

More information here: The Air Current: What is the Boeing 737 MAX Manoeuvring Characteristics Augmentation System (MCAS)?

And here: Leeham News: Boeing’s automatic trim for the 737 MAX was not disclosed to the Pilots

It operates when the aircraft is being flown 'manually' (i.e. not by the Auto Pilot) with flaps up, because without it, the aircraft would not be certified as airworthy. It is there to prevent unwanted handling characteristics becoming a problem, but that works only when MCAS is receiving good data. You can fly a Boeing 737 with electrically assisted trim turned off, as there are manual trim wheels connected via cables to the stabiliser trim mechanism. They move when the electrical trim operates. Manual operation requires 50 turns per unit of trim (250 turns from full up to full down), and if the stabiliser is experiencing significant aerodynamic loads, can require some effort to move.

So, if you are flying with flaps up (i.e. not configured for landing), without autopilot, MCAS is in operation. If the MCAS system is incorrectly told there is a high Angle-of-Attack, it will automatically command Nose Down trim until the AoA falls to a level that the MCAS system programming is set up to regard as not needing the correction assistance. If the AoA doesn't change by enough, it will continue to command Nose Down pitch. It the pilot uses the toggle switch on the yoke to manually control the electrically assisted stabiliser movement, MCAS backs off for a few seconds, but will resume after a short period. If you switch to autopilot, MCAS is disabled, and if you extend flaps it is disabled. However, if there is an airspeed mismatch between the pilot's and co-pilot's instruments, autopilots generally disengage. As the airspeed is calculated from a combination of data from the pitot system and the AoA sensors, if AoA is wrong, airspeed will be wrong.

If you are at the point where the stabiliser's nose down trim setting exceeds the elevator's authority to bring the aircraft's nose up, you have a problem (at this point, it will probably require both the pilot and co-pilot pulling as hard as they can on their respective control-yokes simultaneously). Disabling all electrically assisted trim at that point may put you in an unrecoverable situation, as you may might be unable to manually alter the stabiliser pitch setting fast enough to get out of the dive. If you are using all your strength to pull on the yoke, you don't have any hands free to rotate the trim wheels.

If the incorrect operation of MCAS is recognised at an early stage, it is easy to recover. If you leave it too long, it might not be possible to recover.

I am not an expert, so I may have got things wrong. Corrections are welcomed.

NN

*This is simplifying things a bit. The shape of the engine nacelle also provides additional lift at high angles of attack compared to the previous engine, so even without extra thrust, pitching up can be less benign than you expect. MCAS is there to ensure the combination of the airframe and handling systems meet the handling rules - it is meant to provide predictability.

11
0
Norman Nescio
Bronze badge

PPRuNe threads

The relevant Professional Pilots Rumour Network Threads are below.

Note that it you are not a professional pilot, it is really not a good idea to post there, and especially not with 'newbie' questions and theories that are not backed by experience in the aviation industry. However, the forum publishers are nice enough to let other people read the forums, which can be an invaluable source of information.

Note also it is a Rumour Network - don't assume everything posted is correct. But there is a good signal to noise ratio.

PPRuNe Rumours and News thread: Indonesian aircraft missing off Jakarta

PPRuNe Tech Log Thread: B-737 Speed Trim System

PPRuNe Tech Log Thread: 737MAX Stab Trim architecture

12
0

Sacked NCC Group grad trainee emailed 300 coworkers about Kali Linux VM 'playing up'

Norman Nescio
Bronze badge

Replacement laptop

NCC sounds large enough for them to have the strategy/policy of suspected hardware problems being dealt with by issuing a replacement laptop from the pool of spare laptops held by IT with a fresh new image on its hard drive / SSD. If the problem is resolved, it was hardware. If the problem continues, you have eliminated the hardware (unless, of course it is a common cpu / other hardware bug that only this user's workload triggers).

In my case, when in the past I was subject to the rigours of IT support, if this ever happened, it would be a real pain, as I had opted out of IT support (which was possible with manager's approval) - so *any* problem reported to IT would result in an offer of a re-imaged laptop or nothing. It meant I could set up my own machine as I saw fit (within limits), but had to support myself, and I was as good at searching on the Internet as IT were for whatever Microsoft patch or registry setting or arcane software configuration needed to be set . In fact, I had a considerably greater incentive to find the fix to avoid a hardware swap-out and a re-imaged system.

It meant I put my own DRAM into 'my' laptop, considerably improving performance, and replaced the fan (which required complete disassembly of the machine) when the original gave up the ghost. Thankfully, the BIOS wasn't locked, so I could boot off a USB stick and run up Linux (this was before the ubiquity of workable VMs), and PortableApps were a godsend* - I could debork, using OpenOffice (the LibreOffice fork hadn't happened then), the vast Word documents generated by my colleagues which would corrupt themselves shortly before the deadline of issuing an RFP response.

It's sad that it is not easy to get quickly to the root cause of many problems associated with Microsoft software, but I can well understand that it is not worth an IT department's time to do a full forensic diagnosis for each and every odd user experience. It is far, far easier to offer a drive re-image, or a PC swapout, and usually faster than a fault-finding session if you have a pile of spare PCs ready to go. You can then spend the time on the users that come back with the same problem after a hardware and software swap-out, or servers, where a drive re-image is more complicated due to needing to re-set-up complex application software.

*I have no connection other than being a satisfied user. YMMV. Use of such things might be forbidden by your IT / Data Security policy.

3
0

Consultant misreads advice, ends up on a 200km journey to the Exchange expert

Norman Nescio
Bronze badge

Re: Spoilers in Tech Docs!

You ring the doorbell. You click the mouse. You boil the kettle.

Oh, didn't you realize "boil" is onomatopoeic? Ah well. Carry on pretending to be an authority on English.

<pedant>I generally boil the water in the kettle, not wanting high temperature metal and/or plastic vapour floating around the kitchen.

I wouldn't say the word boil is onomatopœic - for me at least, boiling water doesn't sound like boil...boil...boil. You might argue that 'kettle' is a meronym for the combination of the utensil used to boil the water and the water itself (and also a synecdoche). </pedant>

For me, the vast majority of mice I have used emit a click sound when one of the mouse buttons is depressed, so it is entirely reasonable to use that as a description of the action needed to activate an on-screen button; just as when using a touch sensitive screen, the action people use to activate on-screen buttons is to tap the screen. I find silent mice take some getting used to, as I am accustomed to getting the auditory feedback. One of the problems I have with 'flat' interfaces is the lack of feedback when you try and activate sensitive areas. If you are not sure if your tap has been registered, you can tap several times to try and get a response, which can be less than useful if your taps are buffered and applied later.

6
1
Norman Nescio
Bronze badge

Re: Spoilers in Tech Docs!

do you click the doorbell or do you press it?

At one of my friends' dwellings, I pull the porcelain handle hanging down from the porch. The handle is attached to a wire cable in a conduit, and somewhere in the depths of the house a physical bell on a spiral spring jangles. Another friend has beside the entrance door a sprung knob which you pull and release to set a bell ringing. That confuses a lot of people, even though the brass around the knob is engraved "Pull to ring".

I remember visiting someone in a flat somewhere on the continent, and the doorbell was a rotary device - you rotated it, and a bell on the other side of the door, much like an old-style bicycle bell, trilled away. A similar device I have seen is a clockwork doorbell, which has a conventional button to push, but which is wound up by turning the bell on the inside of the door. If you forget to do this periodically, it falls silent.

I have yet to see a doorbell operated by a lever, but I expect it is possible. Or even a pneumatic plunger to operate a whistle.

5
0

From directory traversal to direct travesty: Crash, hijack, siphon off this TP-Link VPN box via classic exploitable bugs

Norman Nescio
Bronze badge

Laconic if...

I was tempted to answer simply:

If...

But thought it might be a little less cryptic, and little more helpful, if I expanded for clarification.

I have upvoted you for being correct.

1
0
Norman Nescio
Bronze badge

Re: TP-Link

Well, if you're so inclined you could look up the list of cheap routers supported by openWRT, and set up your own security rules. Sensible guidelines are available...

I'll reply, with a Laconic "If...". You were right to write "If...", as most people not seriously interested in networking are not so inclined, and the botnet herders rely on the stupid, the ignorant, the lazy, and the arrogant people who don't want to spend the time and trouble to learn how to do things well, or pay someone to do it well for them.

And while I am a great fan of OpenWrt, it is not a universal panacea. While it is very good, the kernel has got so big now, the volunteers who produce and support it have trouble in keeping the firmware image small enough to fit into the lowest capability platforms currently supported. The next image is likely to drop support for a lot of the older and/or smaller devices, and there is discussion and special pleading on the developers mailing list regarding this issue.

I can see legislation and regulatory bodies to enforce the legislation being set up in the future to enforce information security - this may not be the boon FLOSS enthusiasts expect, as it could turn out that only the largest companies will be able to afford to have software certified to meet any regulations. I expect some serious lobbying will be needed to get carve-outs for FLOSS enthusiasts' use of software. I would not be surprised to see a situation like Part 'P' for domestic electrical work, where security is not materially improved, but 'competent companies' get a licence to print money. I'll answer to being called cynical.

1
0

Germany pushes router security rules, OpenWRT and CCC push back

Norman Nescio
Bronze badge

Re: The updates section is not very good

1. Mandates firmware updates from WAN, so flash will need to be double size to hold old image and new image

Operationally, having ample flash is by no means a bad idea, even when you are connected locally by a LAN. It can be a godsend to be able to roll back to a known good firmware, without having to get into arcane recovery techniques, up to and including needing to solder JTAG connectors.

Of course, if you are in the arena of extremely low-cost embedded devices, where the cost saving of not including the extra flash is material, then limiting the amount of flash may well be the 'right' decision.

If you are expecting the device to have a long usable lifetime, where multiple firmware updates are expected, then I suspect the probability of an update going wrong increases, and the cost-benefit of having enough flash to hold two images looks better and better.

So, while I can see that there are cost-based arguments against having the extra flash*, my gut feeling that it's better to have than not, as it allows rescue from what would otherwise be situations that would be difficult to recover from.

*There are complexity arguments too. Having two flash images implies you have some mechanism to choose between them, which is an added complication which can go wrong. Murphy is patient.

0
0

Word boffins back Rimini Street in Oracle row: 'Full' in 'full costs' is a 'delexicalised adjective'

Norman Nescio
Bronze badge
Pint

'Full' glass of beer

It'll come down to the definition of 'costs' taken in context.

If, by the definition of costs, they mean 'taxable costs', that's clear and reasonably closed (although see the discussion on beer below). If they mean any and all 'costs', both taxable and non-taxable that can remotely be associated with the case, that's open-ended and subject to much argument.

A cynic would say that lawyers will naturally argue for that latter, as that gives them more business.

A similar discussion over the meaning of full continues in the UK to determine what a full pint of beer constitutes. It turns out that a 'full' pint is legally allowed to be 95% liquid, with the rest being the head.

The linked article is from 2008, and this one Metro:Here’s how you know if you’re not getting a full pint is from earlier this year.

If I could get away with paying my bills in 'full' while keeping 5% back myself, I would. And spend it on beer.

1
0

Talk in Trump's tweets tells whether tale is true: Code can mostly spot Prez lies from wording

Norman Nescio
Bronze badge

Re: Why not just...

I think a lot of politicians maintain an intentional ignorance of the topics upon which they opine, on the basis that they cannot be accused of lying if what they say is either (a) not known by them to be untrue* or (b) not believed by them to be untrue. Credible bullshitting relies on you not knowing what you are talking about, because psychologically, you are not working against the feeling that you know what you are saying to be an untruth. Others achieve the same effect by simply not caring if they are lying - such individuals are can be dangerous.

This also goes some way to explain why many** senior managers are uninterested in the details. Ignorance can be very powerful.

*The partially successful Amber Rudd defence.

**Not all. I have been privileged to met some of the few exceptions.

22
0

Abu Dhabi drops sack of cash into UK broadband challenger Hyperoptic

Norman Nescio
Bronze badge

IPv6

<optimist>Maybe, just maybe, they might find a few coppers to implement IPv6. Its been pending 'for a while' now.</optimist>

<pessimist><cynic>Then again, charging for static IPv4 addresses is probably a nice money spinner for them, especially when CG-NAT stops dynamic DNS from working.</cynic></pessimist>

1
0

Civil rights group says Oracles, Tapads and Experians get let off for wanton info-sucking

Norman Nescio
Bronze badge

Oath

I think Oath are open to a GDPR investigation as well. Demurring from data collection must be as easy as consenting, and if you have seen the number of extra pages, check boxes, and voluminous text you have to read through, rather then clicking on the 'I agree' button, I suspect they could fairly easily be shown not to be in compliance.

The relevant test is Article 7 of the GDPR

Art. 7 GDPR - Conditions for consent

[Para 3, sentence 4]It shall be as easy to withdraw as to give consent.

Frankly, if the default were no collection and processing, with the end user having to read though voluminous text and check a number of tick boxes in order to consent, it would be more in tune with the spirit of the GDPR, which is generally a default of no permission to collect or process personal information.

2
0

Which scientist should be on the new £50 note? El Reg weighs in – and you should vote, too

Norman Nescio
Bronze badge

Re: Francis Bacon

Francis Bacon

Because he invented the scientific method.

Hmm, there are many inventors of the scientific method. There are a couple of other Englishmen who could be argued to be instrumental in that endeavour, apart from Francis Bacon (Elizabethan statesman).

You could choose Roger Bacon

Or even, Roger Bacon's earlier contemporary, Robert Grosseteste who would also be an interesting candidate, but probably infeasible.

2
0

Mac users burned after Nuance drops Dragon speech to text software

Norman Nescio
Bronze badge

Re: Hc Sunt Dracones (AND Windows)

Shadow Systems wrote:

Win10 is *NOT* for anyone that can't either repair their systems themselves or pay constantly to have someone fix it. The constant updates *will* break something that is mission critical for you & if you can't do the hurdle jumping to fix the MS fuster cluck, then you'll have to pay someone else to get you a working system once more. That will eventually leave you bankrupt so best not to even start down that slippery slope to hell.

stuartnz replied:

I've had Win10 installed for more than 2 years now and have not ONCE needed "to repair their systems themselves or pay constantly to have someone fix it. The constant updates *will* break something that is mission critical for you" Not for me it hasn't, And my PC is "mission critical" because I work from home and would be stuck without a working PC.

...solidly based on actual real world experience and deep familiarity with the very software being discussed."

This is what you get when trading anecdotes to make IT decisions. Both people are correct according to their own, but very different experiences. Windows 10 certainly seems to polarise opinions, and I don't know if that is because Windows 10 is flaky on some hardware and not others, or there is some other determinant. However, it really needs some kind of independent reliable view, and I really don't know where that might be found. I'm not looking forward to helping some people with almost zero IT-skills make the transition from Windows 7 to 10 because I have no idea what the experience will turn out like for them, and by extension, me. I use GNU/Linux, and it works for me, but I don't prescribe it as an IT-panacea for all.

I hope that those that need a good dictation solution find one that is workable for them. IT is meant to be able to enhance the quality of life for people with disabilities, and all too often I see solutions offered that are expensive, difficult to maintain at any reasonable cost, and definitely not future-proof. Most people experience diminished abilities with age, and while accessibility seems irrelevant when you are young, it can become increasingly relevant, sooner than you might expect if you are providing in-family support for elderly relatives.

Good FLOSS solutions for accessibility lag behind commercial offerings by quite a bit, which is a shame. I hope that changes in future.

NN

22
1

Techie was bigged up by boss… only to cause mass Microsoft Exchange outage

Norman Nescio
Bronze badge
Pint

Re: RE: gentoo

>> "Linux is like a sleek F1 car, each part is self-contained and held together with screws. "

>> Nowadays, that's unfortunately less true than ever. To illustrate this, I suggest you try the Gentoo installation process. When you start with a stage 3 tarball and use OpenRC rather than systemd, the number of dependencies required to get a *lightweight* functioning desktop with a suite of useful applications which use your hardware properly is scary.

> what are you on about?

> xorg-server mate slim firefox thunderbird conky dconf-editor libreoffice galculator corefonts dejavu roboto vlc audacity spotify ghex gimp conky

> there. you have a gentoo desktop.

Um. You put conky in twice. I know it's good, but it is not that good. Good effort, though, so please accept the virtual pint --->

And for most normals, that would be part of a truly scary command line, which would be accompanied by pity when you proudly point out you composed it from memory.

5
0

Sorry friends, I'm afraid I just can't quite afford the Bitcoin to stop that vid from leaking everywhere

Norman Nescio
Bronze badge

Re: Racist?

Perhaps replace China with La La Land?

Being an old white bloke, I have ingrained attitudes that went out with the Ark. As a result, I have to be careful when dealing with people who are not the same sex as me, and people who don't have the same country of origin or ethnicity as me. Things have moved on from my youth, which is mostly good for people who are not white blokes, but it sometimes makes things (quite rightly) uncomfortable for me. Social attitudes have moved on. A lot.

NN

10
0
Norman Nescio
Bronze badge

Re: Racist?

My editor is worried that this week's column is a bit racist. This wasn't my intention. Is it racist? Let me know.

It depends on the pertinent definition of racism. In this case, probably the definition used by the police and the CPS "covered by legislation (sections 28-32 of the Crime and Disorder Act 1998 and sections 145 and 146 of the Criminal Justice Act 2003)":

"Any criminal offence which is perceived by the victim or any other person, to be motivated by hostility or prejudice, based on a person's disability or perceived disability; race or perceived race; or religion or perceived religion; or sexual orientation or perceived sexual orientation or transgender identity or perceived transgender identity."

There is no legal definition of hostility so we use the everyday understanding of the word which includes ill-will, spite, contempt, prejudice, unfriendliness, antagonism, resentment and dislike.

According to the Equal Opportunities Commision, the Equality Act 2010 gives a definition of race as:

Race means being part of a group of people who are identified by their nationality, citizenship, colour, national or ethnic origins. If you belong to any one of these groups and you experience discrimination, it would be counted as race discrimination. It also counts as discrimination if you are not part of any one of these groups but someone discriminates against you because they think you are. This is known as perceived race discrimination.

Race discrimination that occurs within any of the subsequent settings is unlawful:

- In the workplace.

- In any educational institution.

- Housing.

- When providing services or goods such as in the banking, entertainment or transportation industries.

- Any activity performed by any of our public authorities like the police, prisons, the NHS, local authorities and government departments.

Also, irrespective of whether the race discrimination was deliberate or unintentional, it would still count as discrimination and be deemed unlawful.

So unintentional racism is still caught. If what you wrote is perceived by someone in England&Wales from China to be motivated by prejudice, it could possibly be argued as being a racial hate crime (given the above definitions and legislation).

It is also worth reading the CPS's "Public Statement on Racist and Religious Hate Crime", and the CPS's "Racist and Religious Hate Crime - Prosecution Guidance".

This is where the crack legal team of El Reg should be advising you. I'm not legally qualified, and don't have any connection with the criminal justice system, so my advice probably has negative value. If you are unsure, consult someone who is qualified to opine. Not doing so could, possibly, be an expensive mistake.

3
0

Forgotten that Chinese spy chip story? We haven't – it's still wrong, Super Micro tells SEC

Norman Nescio
Bronze badge

Re: Not confirmed?

Hello Trygve,

Just to make clear, 'Anonymous Coward' above is not me (NN). I (NN) am not Norwegian, and I have a policy of posting under my handle (Norman Nescio) rather than as Anonymous Coward.

I am also, apparently either desperately seeking confirmation of [my] own biases or just a bloody idiot.

- I'll admit to being an idiot.

I hope that clears up any confusion.

NN

10
0
Norman Nescio
Bronze badge

Re: Not confirmed?

I was trying to be helpful and find the link to a statement by the relevant Norwegian Authorities on the Supermicro case. Essentially, putting "Supermicro Bloomberg site:no" into a search engine, and finding the relevant results, as I have a passing knowledge of Scandinavian.

The odd thing about it is the public statement on knowing about the case on a specific date before the Bloomberg article was published. Obviously supply chain security is an issue that national information security authorities would be expected to know about, so that is not news. The question is, why put a date on it? It wasn't necessary in the context of the article - all that was needed is the non-committal 'neither confirm nor deny' statement. It is an oddly specific fact.

However, I am not a tinfoil hat wearer, and I don't wish to try and blow this up into something with any more significance. The relevant text from the article is below, and I hope I'm not cherry picking. I wish I hadn't bothered looking for the reference now. As they say, no good deed goes unpunished.

Original text:

Kjente til saken i juni

Nasjonal sikkerhetsmyndighet (NSM) kjenner til problemstillingen knyttet til Supermicro.

– Vi kjenner til dette, men kan hverken avkrefte eller bekrefte at dette stemmer. Vi registrerer at dette benektes av selskapene, sier Mona Strøm Arnøy, kommunikasjonsdirektør i NSM til VG.

NSM har imidlertid vært klar over at Supermicro kan ha vært kompromittert, lenge før Bloombergs artikkel.

– Vi har kjent til dette siden juni, sier Strøm Arnøy, som ikke ønsker å utdype hvor de har informasjonen fra.

Google Translation:

Known for the case in June

The National Security Authority (NSM) is familiar with the issue of Supermicro.

- We know this, but can not confirm or confirm that this is correct. We register that this is denied by the companies, "says Mona Strøm Arnøy, Communications Director at NSM to VG.

However, NSM has been aware that Supermicro may have been compromised long before Bloomberg's article.

"We have known this since June," says Strøm Arnøy, who does not want to elaborate on where they have the information from.

6
4
Norman Nescio
Bronze badge

Re: Not confirmed?

>> Okaaaaay? And have the journalists here contacted the Norwegian government office that, well, confirmed Bloomberg?

> Do you have a link to that? Haven't heard of it before.

VG: Storavis: Hevder Kina installerte spionverktøy i maskinvare

VG: Forsvarsdepartementet kjøpte utstyr for 533.000 – droppes etter Kina-avsløring

Google Translate can probably help. In the first article, Mona Strøm Arnøy, the Communications Director for the Norwegian National Security Authority (Nasjonal sikkerhetsmyndighet, NSM) is quoted as saying:

"We have known this since June," says Strøm Arnøy, who does not want to elaborate on where they have the information from.

NN

2
8

FYI: Faking court orders to take down Google reviews is super illegal

Norman Nescio
Bronze badge

Re: Worship of paper

Apologies. I didn't do sufficient due diligence on that aspect of the story.

Modded you ( Spazturtle ) and Lord Elpuss up.

NN

4
0
Norman Nescio
Bronze badge

Re: How long before the courts move into the modern world?

There is a good reason that lawyers still use Telex. Telex machines have an identification code, known as an answerback, programmed into them that is exchanged with the far end at both the beginning of a message and at the message's end as a sign-off. The sender of a telex message can reasonably assume that if the exchange of answerbacks successfully completes at the end of the message, then the message has been successfully received by the recipient. There is a fair amount of legal precedent in the law of England & Wales, and the USA, dealing with this and related issues. As a result of the legal precedents, telex documents have certain legal advantages over faxes and emails. In common parlance, telex messages are 'legal documents' in a way that faxes and emails are not.

Wikipedia: Entores Ltd v Miles Far East Corp - decision in contract law on the moment of acceptance of a contract over telex

Obviously, organisations can use emails and public key cryptography to authenticate messages and demonstrate delivery and acceptance, but AFAIK the international legal framework around such practices is still being constructed. For example, here is El Reg reporting on the service of a writ by email: The Register: High Court approves service of a lawsuit by email in 2006.

6
0
Norman Nescio
Bronze badge

Re: Worship of paper

I ... have been perpetually amazed by the insistence of so many organisations on seeing the original documents ("wet signed", one of them called it, I think).

...

Repeatedly I ask: what's wrong with a copy, or even just the Ref Code? Surely no one would trust a supposed original (given the power of photoshopping, these days)

Forging originals is harder work that you might suppose. Anyone who is used to handling such things can easily determine the difference between even a good colour photocopy (or 'shopped image printed out) and an original signed document: wet ink, whether it be from a fountain pen, a gel ink pen, or BIC/Biro is easily determinable as different to inkjet, laser or even dye sublimation printer output. It is made even easier if a BIC/Biro is used, as the indentation in the paper made by the ball can be seen - which, of course, won't be there in a copy.

For 'official' print outs (such as birth certificates and driving licences), the originals can be unusual size papers that don't fit onto photocopiers or scanners easily, and contain watermarks, microprinting* (for examples, look at Pound Sterling banknotes), or use special papers with embedded fibres (again banknotes, before they became plastic, had this). Many official documents are embossed, which is again, not easily reproducible. Really old documents could be sealed with an impression from a seal on a molten wax glob dripped onto the document (hence 'sealing wax' used to be sold by stationers, looking like a odd brittle red candle - you lit the wick and dropped wax onto the document in question).

Obviously, these days, with bank statements and utility bills being sent as downloadable pdfs, asking for originals of those might be a bit pointless**, but many official documents are still made difficult to reproduce by the methods I have outlined above. There are other methods.

NN

*Headed notepaper or other special stationery can incorporate features that are not easily reproducible on common printers - microprinting is obvious, but using special inks is another possibility that is also used: e.g. some forms will have features only visible when viewed with ultra-violet light; or portions of the form can be made in ferromagnetic ink; or ink in colours known not to register well with scanners can be used. Adding a serial number that is recorded in a separate register can also be used to validate originals - while the serial number can easily be copied or modified in a forgery, you can't easily add a new entry to a central register, or know what details are recorded separately and can be cross referenced with your supposed original.

**There are also techniques that allow one to detect if a pdf of a bank statement has different information on it than the original, as the content can be encoded in non-obvious ways as a type of digital watermark***.

***You may not know, but a large proportion, if not most commercially available colour inkjet printers embed a unique identifier in documents they print by using a pattern of yellow dots. Organisations using inkjet printers for important documents could know those identifiers for it's own printers, and therefore be able to state that a document with a different identifier was not an original. See:

Wikipedia:Machine Identification Code

EFF's "Yellow Dots of Mystery" on Instructables

EFF: List of Printers Which Do or Do Not Display Tracking Dots

Seeing Yellow

EFF: Printer Tracking

Note that it is this technique that helped the America authorities track down Reality Winner.

4
0

Silent running: Computer sounds are so '90s

Norman Nescio
Bronze badge

One reason for removable batteries...

When the craze for personalised (loud, obnoxious) ringtones was at its height, it was an unfortunately common occurrence for people at my then workplace to wander off to interminable meetings leaving their phone behind on their desk. If someone then tried to get in contact with the wanderer, you got subjected to several bouts of uninterrupted ring-tone. If you were polite enough to answer the phone for them, all you got for your trouble was a request to take down a Dostoyevsky-length message.

The nice beyond the call of duty would take a message.

The next nicest would pick up the phone and go and look for the wanderer.

The next nicest people would set the phone to silent, so the wanderer could see the missed calls.

The next nicest would turn the phone off.

The next nicest would turn the phone off, and place it in a coat pocket or other obscure hiding place belonging to the wanderer.

The next nicest would remove the phone's battery. For some phones, this removed the power to the real time clock, requiring navigating the time and date setup menu to reset it when the battery was put back in. Hiding the battery was optional.

And on one occasion, a colleague who had suffered enough very deliberately fetched a large glass of water, took the noisy phone and placed it in the glass on the wanderer's desk.

21
0

Last year, D-Link flubbed a router bug-fix, so it's back with total pwnage

Norman Nescio
Bronze badge

Re: Some unpatched models have OpenWrt available

>> As ever, OpenWrt might not be appropriate for your needs

>I can't imagine a scenario, where it is less appropriate than a D-Link vondor image.

There can be circumstances where the vendor image is 'better'.

Sometimes OpenWrt only works on specific hardware revisions of the routers, as vendors sometimes change the chips used without changing the model name, and if OpenWrt doesn't have drivers for the new chipset, it won't work. In addition, there are bits of hardware that might not be supported even if the rest of the router works - for example (V)DSL modems or mobile network modems, as again, OpenWRT doesn't have the drivers. Finally, vendors might make use of capabilities that OpenWrt can't (yet) such as hardware offloading for NAT. In the last case, this means a vendor image might have a substantially higher throughput than an OpenWrt image.

This might seem like I have a downer on OpenWrt. I don't, and use it extensively myself on a small flock of carefully chosen routers. But it is as well to be aware of the understandable limitations, as many vendors either won't, or can't (for legal reasons) provide the necessary documentation or drivers to the OpenWrt project for the project to use. A lot of work has to be done by patient reverse-engineering, and I take my hat of to those who do this work. I have nothing but praise for the (mostly) volunteers who do the hard work to provide the OpenWrt images for everyone else to benefit from.

In short, OpenWrt is not a magic panacea for SOHO router woe, but if you know what you are doing, and the limitations are acceptable for your use, it is a very useful tool to have.

9
0
Norman Nescio
Bronze badge

Some unpatched models have OpenWrt available

For some of the affected devices, he wrote, there won't be patches. The vulnerable units are all in D-Link's DWR range: the DWR-116, DWR-140, DWR-512, DWR-640, DWR-712, DWR-912, DWR-921, and DWR-111. Most of these, Adamczyk claimed, will be left unpatched because D-Link told him they're end-of-life; only the DWR-116 and 111 would be fixed.

A couple of of the above models without patches have OpenWrt images available for them.

DWR-512 hardware version B - https://openwrt.org/toh/d-link/d-link_dwr-512_b

DWR-921 hardware version C1& C3 - https://openwrt.org/toh/d-link/d-link_dwr-921

and for completeness, one of the to be patched models does too

DWR-116 hardware versions A1 & A2 - https://openwrt.org/toh/d-link/d-link_dwr-116

As ever, OpenWrt might not be appropriate for your needs, but it might get you out of a hole.

21
0

Microsoft Windows 10 October update giving HP users BSOD

Norman Nescio
Bronze badge

Re: So who you gonna believe?

Barton Gellman is a little bit more than an average 'newspaper hack'. He led the Washington Post's coverage of the Snowden leaks, interviewing Snowden personally, and quite probably has had to deal with Information Security in an up close and personal way as part of that process - most of which he either can't (or won't) talk about. It's worth reading his Wikipedia profile.

This is not to say his real-word experience trumps Steve Bellovin's knowledge*, but I would say Gellman's background shows signs of at least having relevant knowledge. Purely in journalism terms, he has fairly good credentials:

Gellman has contributed to three Pulitzer Prizes for The Washington Post, winning as an individual, team member and team leader.

I wouldn't characterise him as a hack, and I'd lay good odds on him knowing the difference between Internet Explorer and Windows Explorer.

The actual issue is an interesting one; I suspect a nuanced answer might be appropriate: the average user is best served by applying updates as soon as practicable after they have been applied and found to be good by experts. This allows experts to use their expertise in recovering from unexpected glitches, and the population of average users benefit from across-the-board improvements in security. I suspect Microsoft, in part, moved to forced updates because so many people did not update, exacerbating security vulnerabilities. We all know of devices without firmware updates, even if they are available, because most people don't regard applying updates as important. Microsoft, in theory, should be ensuring that updates go without a hitch (i.e. they are the 'experts' people wait for): and for the most part they do, but failures are, quite rightly, high profile.

I think a good argument can be made for automated updates improving the general level of security, but I would also say that experts should be given the tools to opt out of updates where it is, in their opinion, necessary.

*Steve Bellovin's blog (SMBlog — Steve Bellovin's Blog) is always an interesting read for me. I have learned a great deal from it.

4
0

Russian rocket goes BOOM again – this time with a crew on it

Norman Nescio
Bronze badge

Compare with successful launch video

>>Seems something went wrong even before booster cut-off and staging. See 02:37 min. into this video of the launch, something can be seen detaching from the rocket and spinning around just before the internal shot where the "gravity indicator" suddenly rises and then the bouncing starts. 2 seconds later the debris cloud can be seen.

>According to http://www.russianspaceweb.com/soyuz_launch.html stage 1 is at 117.8 seconds, and the payload fairing is at 157.5 seconds.

> Interestingly, the emergency escape rocket jettisons at 114 seconds. I didn't know it was that early.

Hmm .02:37 min is ...120 plus 37, or pretty much 157 seconds...but before I leap to a conclusion, the video starts rolling before actual launch. Engine ignition is at approximately 0:40, lift off at approximately 0:44, which makes the object seen at about 157 less about 40 seconds after lift off (i.e. about 117 seconds after lift off) which means that it's not the fairing, but most likely the escape rocket jettison caught on camera, followed shortly after by what should be stage 1 separation.

Compare the video with the (normal ) Soyuz Launch video for the launch that carried Tim Peake up to the ISS [ISS] Launch of Soyuz TMA-19M with British Astronaut Tim Peake - look at 2 minutes 50 onwards at quarter speed to see the escape rocket jettisoned (at 2:51) followed by Stage 1 separation (at 2:53 you see the exhaust trail change).

If anything, to my non-specialist eye, the escape rocket jettison looks fine on the failed launch video, then we cut to an interior view of the Soyuz to see the astro/cosmonauts being buffeted around, so we don't see the Stage 1 separation, but we cut back to see the immediate aftermath of the separation, which doesn't look like the nice normal symmetrical Korolev cross.

Many thanks for that link to the Russian Space Web Soyuz Launch timeline.

NN

2
0
Norman Nescio
Bronze badge

Seems something went wrong even before booster cut-off and staging. See 02:37 min. into this video of the launch, something can be seen detaching from the rocket and spinning around just before the internal shot where the "gravity indicator" suddenly rises and then the bouncing starts. 2 seconds later the debris cloud can be seen.

That might be the payload fairing coming off, as planned. You want the fairing near to sea level atmospheric pressure, as you need the aerodynamic shape: but once up high enough, the benefit from the fairing is less than the benefit from dropping it, so you do not need to spend fuel to lift it higher.

I'm not familiar enough with the Soyuz launch timeline to know if the fairing is meant to come off before, during, or after booster separation.

2
0
Norman Nescio
Bronze badge

Ballistic descent

Ballistic descent from the point of failed a failed booster separation has happened before - in 1975:

Soyuz 7K-T No.39 (aka Soyuz 18a).

There's another write-up here: America Space:'Creeping and Unpleasant': The Near-Space Experience of Soyuz 18A

That hit more than 21G. The astro/cosmonauts train in a centrifuge up to 8G. I've no idea what G-force this one hit, but hopefully survivable without permanent injury preventing them from taking part in later missions.

NN

3
0

Microsoft has signed up to the Open Invention Network. We repeat. Microsoft has signed up to the OIN

Norman Nescio
Bronze badge

The Techrights view

The Techrights view on this is here:

Techrights: Open Invention Network is a Proponent of Software Patents — Just Like Microsoft — and Microsoft Keeps Patents It Uses to Blackmail Linux Vendors

and the recent view on Microsoft joining LOT is here, too:

Techrights: Microsoft Uses LOT Network to Spread Lies and Promote Its Protection Racket

I think it is fair to say, it is not unalloyed enthusiasm.

Techrights point out that Microsoft have a history of selling patents to Non-Practising Entities, who then enforce them, and as the NPEs are not members of OIN, such patents will continue to be used in threatened and actual litigation. Also, Microsoft are not including the exFAT patents in the OIN deal.

1
1

If you haven't already patched your MikroTik router for vulns, then if you could go do that, that would be greeeeaat

Norman Nescio
Bronze badge

MikroTik Updates

I don't know if it is any use, but it is possible to load OpenWrt on many MikroTik routers.

OpenWrt Table of (supported)Hardware:MikroTik

OpenWrt: Common Procedures for Mikrotik RouterBoard Products

So it might be possible to load OpenWrt it you can't get an updated MikroTik image for an old model. Obviously, I can't tell you if OpenWrt is suitable for your needs. Caveat Emptor and all that.

2
0

Don't make us pay compensation for employee data breach, Morrisons begs UK court

Norman Nescio
Bronze badge

Re: Quis auditdiet ipsos Auditores?

Generally, auditors do not work alone, for reasons that should be obvious, but it seems are not.

Audit teams descend upon you partly because no single member should have access to data without someone else in the team of equal or greater authority signing off on that access. Usually, a senior (internal) auditor (which is what Andrew Skelton was) will be signing off on access by junior members of the team access/collect, and will be unlikely to be 'at the coal-face', as the senior auditor's actions will need to be signed-off by the Head of Internal Audit, or some similar entity.

Now, if he instructs a junior member to grab a copy of the payroll database, he can't then sign off the access - that is an obvious deficient control. What happens is an Audit Plan is made in which taking a copy of the database is a part (but see later about normal practice), and it is signed-off by the Head of Internal Audit (or possibly another, independent, Senior Internal Auditor). He should not be able to waltz in on his own authority and grab a copy of whatever he likes. 'Fishing' expeditions are possible, but everything accessed or taken needs to be recorded and counter-signed, with the log audited by someone else. Audit is all about following a process in painful detail.

External Auditors come and review Internal Audit's working practices every so often.

Obviously, once a copy of data is (legitimately) on an Internal Audit's computer(s)*, you pretty much have to trust that it is not being misused - I would not be surprised to learn that in this case a Payroll Audit had just taken place, although I would understand normal practice would be not to take a copy of the payroll database, but to take a (sufficiently large to be representative) random sample of records to check for problems (for reasons that should be obvious).

Being an internal auditor should not give you 'the keys to the kingdom'. It should give you monitored and audited access to a representative sample of parts of the kingdom, precisely to prevent a disgruntled auditor causing great damage - which is what happened in this case.

I would expect one of the audit findings on the Payroll Audit would have been a deficiency in access controls, unless there was a Very Good Reason that the audit department needed a full copy of the database. Audits generally proceed on a representative sample of data.

Audit departments have to be 'squeaky clean' with regard to their own process controls, as they are the ones telling the rest of the company what best practice should be. It doesn't mean you avoid all risk - but deficiencies need to be recorded and agreed as allowable by the board of directors who have the legal responsibility for the proper running of the company. There is nowhere to hide.

Sorry if I've gone on a bit. My years in Internal Audit are coming back to haunt me and I'm getting flashbacks, even though I was never formally certified.

NN

*Computers used for data analysis by internal audit would generally not have Internet access, and follow the rule that client data can be imported or destroyed, but never exported. The only data that comes off those machines are the results, with the exception of secure backups, which are retained so that the audit can be reviewed, either by a separate internal audit team; or by the external auditors.

2
0

Punkt: A minimalist Android for the paranoid

Norman Nescio
Bronze badge

Re: IP52

I share your reservations about KaiOS.

That said, the JioPhone 2 looks interesting, with the Qwerty-keyboard, but since it is only available in India, locked to Reliance's network, it's not something I could play with. As it also seems to be locked to Reliance's walled garden (Jio Store), I suspect KaiOS is aimed at network operators wanting to maintain or increase their ARPU and not paranoid FLOSS junkies like me.

1
0
Norman Nescio
Bronze badge

Re: Why android?

There is the Nokia 8110 4G, which is an HMD Global 'feature phone', with 4G and tethering. It runs a derivative of KaiOS. It is considerably cheaper than the Punkt.

Having got one with the express intention of avoiding Android and iOS, and using tethering to give on-the-go Internet access to other devices, I'll say it is very much a curate's egg.

The derivative of KaiOS ain't open, and it is very restrictive. The UI is very unpolished, and the keyboard is nowhere near as good/ergonomic as the original Nokia 8110. If you can, I would strongly recommend trying one out for a few days before deciding whether to buy one for yourself.

I'm waiting for Sailfish OS 3.0 to be released, hopefully this month, and will likely get a compatible Sony phone, although I'm not over-keen on buying a SONY-branded product ever since the 'CD' rootkit debacle. I console myself with the sophistry that Sony Mobile are a pretty much separate company to Sony BMG - even so, for some people (including me) SONY is a toxic brand.

Assuming Sailfish 3.0 lives up to expectations, the Nokia 8810 4G will become my reserve phone - still useful, but not the daily driver.

1
0

Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?

Norman Nescio
Bronze badge

Taiwanese foundries

I imagine some people may decide it is beneficial to source hardware from Taiwanese foundries, given that politically, that area is not mainland Chinese, Russian, or American/5-9-14-eyes controlled. Of course, you would still need to ensure that your supply chain has not been subverted in some way, given the example of the NSA and Cisco.

Assuring that your hardware has not been Trojanned is a hard problem, which the vast majority of people don't need to worry about. I have every sympathy for those whose job such assurance is.

6
0

China's going to make a mobile OS and everyone will love it, predict ball-gazing analysts

Norman Nescio
Bronze badge

Russia already has an alternative phone OS

Russia has licenced Jolla's Sailfish OS for domestic use.

TechCrunch: Jolla’s Sailfish OS now certified as Russian government’s first ‘Android alternative’

And, although Jolla Oy is a Finnish Limited Company, I believe Rostelecom are what Jolla delicately call a 'strategic investor'. More details here: [Jolla Blog] Rostelecom is new strategic investor.

After the investment, Rostelecom is the largest individual shareholder in the investment company Sailfish Holding Ltd. (Hong Kong) but does not own majority in Jolla Ltd. (Finland). The development of Sailfish OS has always been an international project and the company has an international shareholder base. The Sailfish family includes significant shareholders e.g. from China, and developing the company’s regional licensing strategy requires international ownership.

I don't think it has exactly taken Russia by storm, but it appears at least one phone is (or has been) available: the INOI R7.

2
0

Boffin: Dump hardware number generators for encryption and instead look within

Norman Nescio
Bronze badge

Re: Round and round we go

Whilst technically possible it's not an attack vector you need to worry about. If someone wants to target you that seriously we know from the Snowden disclosures there are easier ways to steal everything you type and everything sent to your screen.

I agree that most people don't need to worry about it...however, some people do, and those that are not targetted can be caught in the crossfire*. As it is a dopant level Trojan, there is nothing to stop this (or something very much like it) having been rolled out across all cpus of a particular type, and it is possible that it could have been done without the manufacturer's explicit knowledge (serve an NSL on a few key technicians). Much like Intel's Management Engine or AMD's 'Secure Processor' (formerly known as PSP) is present in pretty much all commercially available x86 cpu you can buy, it may not be possible to avoid a Trojanned RNG. Unless you find a statistical test that demonstrates the RNG has been Trojanned, it passes standard statistical tests, too.

Until the Dual-EC-DRBG malarky, most people would think such a thing was pure 'tinfoil hat' territory.

Most people and companies are not specific targets of interest to the security and intelligence services, and as you say, don't need to worry about this. Some entirely legitimate commercial organisations do have to worry about such things - for example, if your activities are covered by the Wassenaar arrangement, you do.

It's certainly not a bad idea to run as many statistical test suites as possible, but they never prove that the output is truly random, whereas a failure demonstrates the output is definitely not random.

*Not least, if a malicious entity gains the knowledge of the vulnerability and uses the knowledge to exfiltrate and/or change data for monetary gain.

Further reading:

Stack Exchange:Cryptography - What tests can I do to ensure my random number generator is working correctly?"

MERS: Statistical Test Generation for Side-Channel Analysis based Trojan Detection

International Journal of Open Information Technologies vol. 3, no. 5, 2015: Performance analysis of Hardware Trojan detection methods

1
0
Norman Nescio
Bronze badge

Re: Round and round we go

I prefer to trust a simple hardware random number generator that uses something like diode noise which is random down at the physics level.

You can only trust it if you built it yourself.

Becker, Regazzoni, Paar, Burleson: Stealthy Dopant-Level Hardware Trojans

the Trojan passes the functional testing procedure recommended by Intel for its RNG design as well as the NIST random number test suite. This shows that the dopant Trojan can be used to compromise the security of a meaningful real-world target while avoiding detection by functional testing as well as Trojan detection mechanisms.

3
0

Why are sat-nav walking directions always so hopeless?

Norman Nescio
Bronze badge

Re: Too many apps

Satellite dishes point south (north in the antipodes natch)

Up to a point. Your average satellite TV dish in the UK will point sort-of southwards, but as the geostationary satellites used to cover the UK are not precisely at 0° longitude, you'll be off by a bit. For 'broad brush' navigation, that doesn't matter, but it definitely isn't precisely south.

If you take the example of the Astra 28.2° E satellites, if you are setting up a satellite dish in the UK, you won't point it directly south (180°), but somewhere between 139° and 147° degrees, depending on where you are.

If you put your location into DishPointer, and select the Astra satellites at 28.2E it'll draw a nice map showing where the satellite dish will point. It's fairly clear that it is not directly south.

9
0
Norman Nescio
Bronze badge

Re: Determining South (in the Northern hemisphere) from a clock

Ooops, sorry - that should be Полярные (Polyarnyye), not Полярная (Polyarnaya) - both mean 'Polar', but it is the first written on the watch dial. Russian is full of hazardous word endings just waiting to trip up English speakers.

4
0
Norman Nescio
Bronze badge

Re: Determining South (in the Northern hemisphere) from a clock

24-hour wristwatches are a thing, most are 'military' designs, and have 24 at the top of the dial.

I have an Aristo Messerschmitt watch - 24 hour dial, 12 at top, counts up to 24. Few 24 hour watches have the 12 at the top of the dial - most have it at the bottom, and even fewer have a zero instead of 24 - the Russian Brand 'Raketa' (РАКЕТА) has a lot of 24-hour models (put: 'Raketa 24-hour' into your Internet search engine of choice), which include the Polyarnaya (Полярная) watch that has a zero instead of a 24 - but still at the top of the dial (Ebay example here).

I don't collect watches, but if it looks like there's a pretty large culture of watch collectors, judging by the number of forums and 'interesting' prices one can find looking around the Internet.

4
0
Norman Nescio
Bronze badge

Determining South (in the Northern hemisphere) from a clock

The only time I've used my phone for navigation while walking was to check what time it was so I could work out which direction was north.

Hmm, I wonder if there is an app for that? Point arrow on screen in heading of the sun, and in combination with (GPS or other time source) time, get second arrow pointing due South (in Northern hemisphere), and due North (in Southern hemisphere). GPS or external knowledge could be used to work out which hemisphere you are in.

Note: GPS (with a single antenna) will not tell you which way is North. It determines your position on the geoid only, not heading. You need two points, either by having two antennas, or by moving and taking a second reading before GPS can then calculate and tell you which direction is North relative to the course between the points. Hence the need for a compass of some type (magnetic/gyro/inertial) in combination with GPS for some applications.

Of course, many smartphones have magnetometers in them that can be used to emulate a magnetic compass.

One of my prize possessions is a 24-hour dial wristwatch with mid-day at the top of the dial, which allows you to determine South (in the Northern hemisphere) directly (point hour-hand at sun, mid-day marker points due South). The irritation is that the mid-night marker is labelled 24, rather than 0.

8
0

Looking after the corporate Apple mobile fleet? Beware: MDM onboarding is 'insecure'

Norman Nescio
Bronze badge

Serial number story

If you want a nice story linking serial numbers and security, the 'German tank problem' makes a nice aside. For those unwilling to follow the link, the tl;dr summary is that statistical analysis of serial numbers on captured German tank equipment allowed the Allies to estimate the production rate of the tanks surprisingly accurately. Allotting identification numbers from a large (compared to the number of items manufactured) set of random numbers is advisable if you wish to keep your production rate secret.

5
0

Page:

Biting the hand that feeds IT © 1998–2018