* Posts by Charlie Clark

4612 posts • joined 16 Apr 2007

'Boss, I've got a bug fix: Nuke the whole thing from orbit, rewrite it all'

Charlie Clark
Silver badge

Re: Well, this article'll cause some arguments, eh?

Anyway, it looks LibreSSL is just borrowing heavily from a fork of OpenSSL and probably just removing some little used stuff - but it's not a clean room rewrite...

It's always been a fork. A lot of stuff has been removed or rewritten, but one of the reasons for the fork was maintaining API compatibility.

Nevertheless, I find it interesting that this bit of code was kept around.

0
0

Turkish hacker pleads guilty to $55m maniac global ATM heist

Charlie Clark
Silver badge
Headmaster

Spellchecking budget cut again?

Turkish hacker pleds guilty

6
0

Greybeard monobrow baldies rejoice! Boffins comb out hairy genes

Charlie Clark
Silver badge
Coat

That's weird: I've always thought of them as a pair of dicks! Then there's that hairy twat, Robbie Savage.

I don't mind a bit of banter along with the football but the BBC is doing a great job of imitating the tabloids.

4
0

One-third of all HTTPS websites open to DROWN attack

Charlie Clark
Silver badge
FAIL

Re: Meanwhile on OS X

Try http://brew.sh, it's a much cleaner approach.

No, it isn't.

MacPorts allows you to override bits of the subsystem that Apple never gets round to patching.

0
0
Charlie Clark
Silver badge

Meanwhile on OS X

MacPorts contained updates this morning.

Inspecting the system more closely:

/usr/bin/openssl version

OpenSSL 0.9.8zg 14 July 2015

and

/usr/local/bin/openssl version

LibreSSL 2.2.0

Better, especially as /usr/local/bin gets precedence in the path bug 2.2.6 was released back in January.

C'mon Apple: release those upstream updates to your customers!

0
0

More and more Brits are using ad-blockers, says survey

Charlie Clark
Silver badge

Re: Ad free please

Well, you could easily anonymise the payment stuff through a clearing house. I'm just thinking of the integration of paywalls in the browser as a way of lowering the barrier to entry.

Visit The Register initially for free then after a while it's used up and you get offered conditional access: single article, monthly sub, yearly, etc. Or ad-supported access with ad-blockers disabled for that site.

To be honest I'd be more worried about abuse of the service by unscrupulous websites than by the data slurping stuff.

1
0
Charlie Clark
Silver badge

Re: Ad free please

So, what do you think of the idea I had for a "PayPal" browser that would allow you to do just that?

1
0
Charlie Clark
Silver badge

54 per cent of those surveyed (and more 18-24s) said they’d turn the blocker off to reach a particular site or service

Sounds like "do what I say, not what I do".

Polls like this remind me of those that regularly demand more spending and lower taxes: people know that they are not accountable for such opinions.

4
1

Windows 10 claimed another point of desktop share in February

Charlie Clark
Silver badge
Stop

Microsoft's real fail…

…is the continued ignominious demise of Internet Explorer as a browser. Looking at the Top10 of browsers on non-cellular networks we see that IE (13%) is now behind Safari mobile (14%) all the time and may soon fall behind Chrome mobile during the week as well as at weekends. And this desktop and desktop replacement traffic.

Edge is stuck around 2% and unlikely to gain relevance because: people are sticking with Windows 7; and Microsoft refused to backport Edge to Windows 7.

IE 11 is a reasonable browser but is going to fall behind the competition in increasingly important areas as things like Flexbox (supported by IE 11) become the "new normal". It means that, while corporates are keeping IE around for legacy, they must provide alternatives for every day use of the interwebs. Whether it's Firefox ESR or special Google builds or simply I-Pads, it's all not Microsoft. Once everyone has moved all their bookmarks to browser X, it's going to be very hard to get them back.

And Microsoft is betting the farm on the best HTML/JS/CSS runtime.

4
0
Charlie Clark
Silver badge

Re: Whaaatt?

If there an equivalent covering more of the world I'm sure the vulture want to know.

What? You mean like Akamai's Internet Observatory?

Mentioned it several times to no effect. Probably because you can't just cut & paste the data into a spreadsheet.

3
0

Learn things? DROWN HTTPS flaw proves we don't even test things

Charlie Clark
Silver badge

Sorry, what?

test your configuration to make sure it's what you expected

What is this supposed to mean? I take it to mean "configuration was correctly distributed and applied". Cf. the recent Google router misconfiguration.

What are "post-configuration tests"?

The only thing I can think of is: do you regularly run penetration testing on your equipment? The whole point of penetration testing is that it is external and ignorant of configuration. Run it and expect the unexpected.

Are enough people running enough penetration tests? Certainly not. This isn't helped by the legal situation: in some countries penetration testing may involve technically illegal activities.

1
0

Safe Harbour v2.0 greenlights six bulk data collection excuses

Charlie Clark
Silver badge

The responsibility of courts

Given that the CJEU failed to define what is and isn’t acceptable the first time around, the Shield is sure to end up back in Luxembourg once again.

Is it the responsibility of the court to do so? That would make the court a lawmaker. The main point of the judgement was that EU citizens have little or no rights over their privacy in the US, ergo Safe Harbour is null and void. Politicians around the world have, for reasons of political expediency ("look at what we're doing to fight terrorism/child pornography/halitosis, etc."), increasingly effectively delegated lawmaking to the courts. Think of the DRIP fiasco.

The onus is now on lawmakers to come up with the definitions both of what's acceptable and of adequate legal recourse. Mass snooping is unlikely to suffice and, so, if it's included then the agreement then there is every chance that the law does end up before the courts. However, this would be a poor strategy to follow: the ECJ has already invalidated the existing agreements so new ones are likely to be overturned by lower courts, citing the existing judgement.

2
0

Microsoft sneaks onto Android while Android sneaks onto Windows

Charlie Clark
Silver badge

Re: Kind of obvious

It doesn't need to. If MS doesn't want to be held to the licence, it doesn't need to accept it.

Nope. This is a standard area of contract law and underpins discussions of licensing such as FRAND patents. Clauses like this are routinely struck out by courts as too onerous and here possibly even irrelevant to the implicit contract of the licence.

As an extreme example: a licence for my code might include a requirement for a particular religious affiliation. It's unlikely that such a clause would withstand judicial scrutiny. This is why so many real contracts have clauses at the end that prevent nullification in case that any individual clause is held to be invalid.

Add to this the way the dual-licensing that Google already applies to Android: there's AOSP and then there's the stuff for manufacturers and it's fairly clear that Android is not Linux.

Whatever, with Microsoft apparently exiting the handset business, it's unlikely for them to start becoming an Android distributor. Providing an alternative to Google Play services is probably sufficient.

0
0
Charlie Clark
Silver badge

Atom-powered phones? Yawn

And the battle will really heat up once Atom-powered phones arrive later this year.

Intel has been successfully losing market share by pouring money into x86 phones for the past few years. And things are getting worse as more and more developers go native. How does Intel expect to compete with Mediatek, et al. in the budget segment? Intel has lost so much money that it's resorted to hiding the mobile division in with the PCs.

The RPi3 today handily provides a comparison as to what to the improvements power at a constant price with ARM: 2012 weedy single-core v6; last-year reasonable quad-core; now 64-bit. And that's nowhere near high-end or SoC prices.

1
0
Charlie Clark
Silver badge

Re: Kind of obvious

But as soon as they become an Android distributor, they are of necessity a Linux distributor

I reckon that's up for debate and I'm not sure whether the clause would stand up in court.

Google certainly doesn't seem view the patent stuff in that way.

1
0

Google cloud wobbles as workers patch wrong routers

Charlie Clark
Silver badge
Stop

It could well be that rival clouds aren't as forthcoming with reports of messes like this, and that the stream of SNAFUs Google reports is a sign of commendable openness and transparency.

Or they could be signs of immature processes.

This whole article oozes snide but only really has insinuation to back it up. I'm not a Google fan but it seems to me that they have pretty mature processes, particularly when it comes to disaster recovery, where it really counts. Being prepared to go public with the procedural details without pointing the finger: "we fucked up and this is why…" is one of the best ways to underline to employees how important their work is.

Status feeds are one thing but how many complete fallouts of Google have there been this year? And of Azure and Amazon?

3
2

Google Project Zero reverse-engineers Windows path hacks for better security

Charlie Clark
Silver badge
Facepalm

Re: win32? in 2016? really???

Also, it has sillyness like case sensitive file names (for lack of proper collations, and an English-centric mindset) and horror of spaces

Sigh.

Case-sensitivity is the default for computers because chars map to hex values, or didn't you watch The Martian?. Case-insensitivity is slower and requires more memory. But, of course, speed and memory have never mattered, particularly not in the early days of unix.

Whitespace can be a real problem on terminals and printouts. Much better to make it explicit.

9
2

Raspberry Pi celebrates fourth birthday with fruity version 3

Charlie Clark
Silver badge

Networking

Anyone know if 5Ghz is supported? That's been my biggest problem so far.

0
1

Raspberry Pi 3 to sport Wi-Fi, Bluetooth LE – first photos emerge

Charlie Clark
Silver badge

Re: At the risk of 'banging on' again and again...

I dunno, me and t'missus have been using one quite merrily as our desktop for a year now.

The single core of RPi 1's make is unsuitable to run as a desktop but the RPi 2 is good enough for many things. I have CPU performance of about half that of my desktop for stuff that can make use of the four cores, though I/O is noticeably slow.

0
0
Charlie Clark
Silver badge

Re: Still sucks for i/o performance

The RPi was initially supposed to improve IT in schools. I don't know if anyone seriously expected it to have a major impact there, if so I suspect they're likely to have been disappointed but not because the device was underpowered.

Instead the RPi shipped in sufficient volumes to create a viable software and hardware ecosystem for hobbyists and developers. It makes a great media centre that you can just pug into any modern TV but is also the basis of many small projects that might otherwise never have happened because specialist hardware is required. For example, I've got a 3" touchscreen that sits nicely on the RPi's geek port. Not sure what I'm going to use it for but I can imaging all kinds of industrial machines using something like this for the next control panel. And I hope they do because the software stacks available for the RPi are light years ahead of most embedded devices, and are still likely to be supported for the life on any particular device.

Hence, the RPi has succeeded in establishing a hardware and software platform where none previously existed. Maybe it took a while to go from the RPi1 to RPi2 but it looks like things are picking up in which case we could soon be looking at some pretty beefy devices that still only cost around $ 35, but the market may focus on those with the lowest power draw: SATA in an embedded device isn't going to make much sense.

Now, if they'd include FreeBSD as part of NOOBS!

1
0
Charlie Clark
Silver badge

Re: Missing the point

Prepared for the downvotes here

I gave you one just so you wouldn't be disappointed! :-)

Actually, your post is pretty much spot on.

2
0
Charlie Clark
Silver badge

Re: Shame

Can you name another SoC vendor that could compete at this level?

Mediatek, can I have my five pounds, ta?

2
0

Europe is spaffing €20bn on handouts for tech

Charlie Clark
Silver badge

Auditors haven't signed off the EU accounts for almost 20 years. It's a very wasteful way of spending a pound. Or Mark. Or a Frank.

Facts, eh? Who needs them.

Remember the budget spent by the body of the EU is tiny compared to the money, mainly pork, handed out to member states.

As this is about the EIB it should be further noted that this is run by the member states and not the Commission. I'm not a fan of monetary policy being used for stimulus but it was Juncker's declared aim to use the EIB to finance projects in the absence of stimulus from member states. There was a fanciful plan of using EU money to encourage investment from private investors. I'm sure it will all end in tears. But this is more to do with the abrogation of responsibility by politicians in the hope that handouts from the ECB will mean they can continue to sit on their hands (France and Italy are particularly guilty here).

3
2
Charlie Clark
Silver badge
Thumb Down

So the Commission is doing what the EU usually does when it doesn't get the answer it wants: it keeps asking the question, until EU citizens roll over and give in.

This is a gross misrepresentation and does the argument no good. Yes, there is the odd potty project but the audits always show that the Commission is much less wasteful than national governments who love to use the EU to distribute subsidies (set aside premiums for farmland in Bavaria springs to mind),

Its main job is ensuring the single market so this means keeping an eye on state aid, open skies, etc.

As for the money € 20 bn is less than a third of what the ECB is currently giving to the banks every month!

4
7

BOFH: This laptop has ceased to be. And it's pub o'clock soon

Charlie Clark
Silver badge
Pint

So, what you're saying is that jobsworths security guards don't need maiming? I think we know who's buying the next round…

Pint of Sammy Smiths for me, please.

1
0
Charlie Clark
Silver badge
Pint

Re: Quibblage

Well, they're both quantum phenomena but this is closer to Schrödinger: the bomb will go off but the time cannot be known, ergo two quantum states until observed.

Heisinger's principle is that knowledge of some aspects is mutually exclusive. So you can know the laptop's speed but not where it is. You'll come across this in BOFH's labyrinth game…

9
1

Canonical accused of violating GPL with ZFS-in-Ubuntu 16.04 plan

Charlie Clark
Silver badge

Duh, can we finally stop getting Oracle involved into OpenZFS?

No, because everyone wants to vent their frustration on Larry's evil empire. Even, or perhaps, especially when they've got nothing to do with something.

1
0
Charlie Clark
Silver badge
Headmaster

It's Oracle we're talking about: they created a private fork rather than try and get everyone to agree to changes.

0
1
Charlie Clark
Silver badge
Pint

Few points to clear the confusion

You're ruining it for everyone with all those facts!

5
0
Charlie Clark
Silver badge

IANAL either, but I don't think that statement is correct.

It is with the following proviso: any subsequent changes in the licence require the agreement of all contributors. Otherwise a fork is required. Oracle has wisely chosen to fork OracleZFS.

1
2
Charlie Clark
Silver badge
Mushroom

GPL is make work for lawyers

Kids - just say no!

2
9
Charlie Clark
Silver badge

Re: Let Oracle sue

Not Oracle's beef. Fuckwit GPL zealots.

7
14
Charlie Clark
Silver badge

Re: Well!

Just use FreeBSD.

9
2

Awoogah – brown alert: OpenSSL preps 'high severity' security fixes

Charlie Clark
Silver badge

Will Libressl also be affected

Be interesting to see if LibreSSL also releases a patch at the same time and, if so, what it contains: whether this is related to preserving the API or having a similar vulnerability.

0
0
Charlie Clark
Silver badge
Thumb Down

Re: Pisses me off...

... all these tards coming here moaning about how shit it is when it was written by a bunch of guys in their spare time as a hobby thing.

Be that as it may – yes, it was a dismal state of affairs – the project has now had money thrown at it and it still sucks. Version names like 0.9.8zg FFS

Still poor design is poor design. LibreSSL wasn't forked for fun but after a thorough code review which determined that a new start of a less ambitious project would be better.

2
1

JavaScript daddy's Brave ad-blocker hits Android, Apple stores

Charlie Clark
Silver badge

Good luck with Bitcoin stuff

Very hip and all that but will exclude about 99.9% of the world. Blockchains are interesting, crypto-currencies aren't.

hm, maybe a browser from PayPal would work for micropayments… Must rush off to get funding.

In any case the days of the ad networks are limited. They're annoying for users and inefficient for advertisers. Much better to sign up for a vertically integrated network with detailed information about the users. We're seeing this with Facebook and Apple's content offerings. No doubt Google, with all that YouTube experience, also has something in the works. And, if the ads are provided the OS then ad-blockers are going to have their work cut out for them.

0
0

Yelp minimum wage row shines spotlight on … broke, fired employee

Charlie Clark
Silver badge

Re: Funny, when I was her age. . . .

"income inequality" is a chimera.

Sure, but things are not helped by the different (mainly but not just tax) treatment of income and assets which is driving asset bubbles while restraining incomes.

The arguments against a wage floor are now empirically validated: it doesn't destroy jobs and can actually create them because of the increase in disposable income. If you can't afford to charge customers enough to pay it then the job (and presumably business) should go. Otherwise welfare payments start subsidising low wages. Not good.

We're starting to automate people out of jobs permanently, with the rise of industrial robots and follow-on technologies.

Just wait till this starts to hit non-menial jobs. The fear of this maybe one of the reasons behind people flocking to Trump or Sanders. Not that economic policy has ever really mattered in US elections.

0
0
Charlie Clark
Silver badge

Re: Funny, when I was her age. . . .

The article made it pretty clear, to me at least, that Talia James isn't deserving of a lot of sympathy. However, the details of her case are symptomatic of real problems in San Francisco and Silicon Valley because of the recent boom and its attendant increase in income inequality.

To focus on one person is to fall into a trap that it's a unique situation. I might have little sympathy for the person named but, as detailed above, I do think that there is a problem.

4
0
Charlie Clark
Silver badge

The simple answer: she's not being paid too little but she is paying too much rent

Wages: $1,466 (after taxes)

Rent: $1,245

That's the problem. Rent should never be > 50% net income.

This is not the employer's fault. Though it does make you wonder how an employer can continue to find workers if that situation is replicated.

However, things are never really that simple. Rents in places like San Francisco tend to rise faster than wages. This is both the result of lack of supply, partly due to local restrictions (not enough housing where people want to live), but also monetary and fiscal policy favouring property and VC investment. Rents are stickier than wages: it's easy to sack people but they still lead somewhere to live; bad housing loans lead to bailouts. Furthermore, one of the main arguments used to get people to work for less than market rates is participation in equity through stock options, which everyone likes because of the preferential tax treatment. This is routinely abused by VC funded companies. They also prefer to offer perks like catering and stuff, because they are much easier to scale back than wages, they may also have preferential tax treatment. Rent controls of the European variety might to some degree mitigate against some of the excesses by limiting the amount rents can rise in any year. But San Francisco definitely needs more capacity if rents are to remain affordable.

Indeed, in places like London, you'll see government money being funnelled into the property market through things like "key-worker" schemes. A bit more free market realism wouldn't hurt there: employers will move elsewhere if they can't get employees at a rate they can afford to pay. Of course, this would mean boom then bust, but that's preferable to me than keeping the bubble going with more government money.

I believe Portland, Oregon is actually trying to limit its growth as a city because it's worried about the long term consequences of boom then bust: seeing places like Detroit as a salutary example.

4
0
Charlie Clark
Silver badge

Re: Trump?

Blaming Trump when this is all happening on Obama's watch is a bit one-eyed surely?

I don't see Donald Trump being blamed personally anywhere. More some of the postures and attitudes he adopts.

The situation also has little or nothing to do with Obama's policies.

8
2

Ker-ching! IBM paid 10 times Cleversafe’s funding for the startup

Charlie Clark
Silver badge

Re: Silly money

It's ten times funding. That excludes assets and whether it has any revenue or not.

You want to see silly money: WhatsApp, OculusVR, et al.

4
1
Charlie Clark
Silver badge

Cheap at twice the price.

Given that valuations are often over 100 times funding, it looks like IBM got it cheap from someone wanting so sell.

1
1

The other one. No, not WhatsApp. Telegram. It hit 100 million users

Charlie Clark
Silver badge

Messaging apps that offer end-to-end encryption such as WhatsApp

Really? I thought WhatsApp was only using encryption between devices and its servers. You can't do interoperability between platforms unless they all support end-to-end encryption.

0
0
Charlie Clark
Silver badge

Re: No Love For Signal?

Signal, and its predecessor, have been mentioned in the past on The Register.

I use Signal as well but it's not perfect: the login is tied to the telephone number so you can use the same account on different devices and device support is limited.

But I think the main reason for its lack of popularity is that it simply (and deliberately) isn't "social" enough. The big feature of all the others is the ability to set up groups. They don't really care about security.

0
0

Apple hasn't announced the new iPhone 5SE and pundits already hate it

Charlie Clark
Silver badge

Re: Budget .....

There is an argument that, if Apple's sales of phones ever start to tail off, it should go in search of new markets.

It is probably well-equipped to do this in a similar way to Nokia managed in the past: produce cheap devices and still sell them at a nice margin. For this to work well without sales of the even higher margin phones being cannibalised the devices must be effectively crippled so that only the most basic things work: phone, messaging, radios, and presumably camera but limited storage. It could be argued that this is more or less what the I-Pod is doing and sales are still impressive for something that feels so obsolete. Maybe the offer could be more attractive with some kind of tailored storage and service subscription: people in the developing economies can't afford much upfront but are great for subscriptions or freemium services as the Chinese market has demonstrated. Think of Facebook's "basics" package only more.

However, this kind of switch comes with risks: possible damage of the brand (Coca Cola doesn't seem to mind being available to everyone) more complicated supply chain and inventory. And seeing as how easy Apple still finds it to make money at the moment, those risks don't really look acceptable at the moment. But I've no doubt that they've thought about how to get their slice of "the next billion".

0
0

'I bet Russian hackers weren't expecting their target to suck so epically hard as this'

Charlie Clark
Silver badge

Even just a shim layer over the database would allow the database code to be reviewed and of course makes it much easier to convert if you change databases.

Making db calls from all over your code is definitely the wrong approach.

Absolutely. As regards changing the DB, I'm not sure how much of a real issue this is. But it shouldn't be held back by DB specific calls in the application layer.

0
0
Charlie Clark
Silver badge

Re: PHP always makes me cringe

Can be useful where various sites using the same software may use a site-specific view in place of the Main Table. The XML would be site specific, but the code common to all sites....

This a bit short of context: the DB would be doing something with XML? How so?

In any case I still can't the need for the client code to parametrise the table name like this: that really ought to be done by the DB.

0
0
Charlie Clark
Silver badge

There's a lot to be said for insulating the DB but SPs bring their own problems, not least having a different code base.

As long as parameters are being passed correctly there's not much to be said against giving the client some access. If you don't you're likely to find client code filling up with stuff better done on the db where developers either don't know or don't know how to do it on the server.

The best approach I've seen here is the one suggested by Hannu Krosing of keeping the code on the client side but effectively shipping it to the DB to run there. YMMV but I think there's a lot to be said for this.

2
0
Charlie Clark
Silver badge
Facepalm

PHP always makes me cringe

"select MAIN_TABLE.`product_id` from `{$tableName}` as MAIN_TABLE where MAIN_TABLE.`request_path` in('{$path}')

So much not to like.

Why is the table name being parametrised? That's a recipe for disaster all in itself. But, FFS, any field in the DB that depends upon part of the request is suspect.

The SQL injection vector could be mitigated against in the method of the object returned by getDatabaseConnection() which could even check for incorrect use.

0
0

Android users installed 2 BILLION data-stealing, backdooring apps

Charlie Clark
Silver badge

Re: Sloppy

That's because most of the possible exploits require almost lab conditions to work.

MMS exploits are expensive to run. The rest require tricking people into side-loading apps.

I suspect standard phishing attacks offer a better return on investment.

Still, anything that forces the manufacturers to up their game when it comes to providing security updates is more than welcome.

1
0

Forums