* Posts by Charlie Clark

5121 posts • joined 16 Apr 2007

Oracle's website, social media to wear sandwich board of shame over Java SE insecurity

Charlie Clark
Silver badge

And the alternative to Java for embedded systems is....?

Pretty much anything. LLVM and similar techniques have taken much of the pain out of embedded runtimes.

8
0

Android's unpatched dead device jungle is good for security

Charlie Clark
Silver badge

Re: Yeah But...

do they not think it beyond the wit/skill of the malware creators to see what version of Android the device is running and use known vulnerabilities for that version to install the payloads?(spelling fixed)

The point he's trying to make is that it is exactly this kind of discovery and targeted exploit that is too expensive to be worthwhile.

This is a "things aren't as bad as some people make out" argument which does seem to be borne out by the facts: millions, or even billions of mobile phones have yet to be compromised. I also wonder what the potential market even for those compromised devices is, assuming that miscreants go for the current favourite attack of ransomware. Even for the technically unskilled a factory reset and reinstall from the cloud shouldn't be too hard, or too expensive if you have to get someone to do it: must be less than cost of a replacement handset.

No reason for Google or the handset makers to rest on their laurels, of course.

9
0

Apple's fruitless rootless security broken by code that fits in a tweet

Charlie Clark
Silver badge
Black Helicopters

Re: Hang on a minute

It wouldn't surprise me at all to discover that Apple's real agenda here is to create a protected enclave for DRM tools that even root can't violate.

The same thought has crossed several minds…

2
1
Charlie Clark
Silver badge
FAIL

Re: Hang on a minute

And how would things get more secure because the machine reboots before implementing the end-user's mistakes?

You seem to fail to understand the point: let a user process download signed stuff from Apple. Everything that is downloaded should be safe. But the installer cannot be hijacked or abused to do anything else because it can never be run by the user process.

He's a nice badge for you.

1
0
Charlie Clark
Silver badge

Re: Hang on a minute

I think the idea behind SIP is to avoid simple permission escalation attacks from users who also have admin roles (ie. can sudo). As such it's a nice idea as it makes "click this" exploits a little harder without taunting the user with permission requests à la Windows Vista.

However, Apple also privileges certain applications such as the software updater so that can run while the user is logged in. As opposed to forcing the machine to restart in single user mode and install whichever signed packaged have been downloaded. I wonder if this is what Windows does with some of the system updates?

It might be possible to keep SIP around if it is simplified and there are fewer exceptions. Personally, I disabled it because I wanted to downgrade ITunes. And this is an example for one of its flaws – they're trying to protect too much shit. Given how fast MacOS boots with an SSD then they might want to consider forcing more stuff to be done from a restart rather than trying to play security and convenience off each other.

2
2

Teen tricks leaky Valve into publishing hot new Steam game: Watching Paint Dry

Charlie Clark
Silver badge

Re: A bit miffed about the whole "ignored the warnings" part

What is this, the 16th century?

Going by Valve's approach to coding it could well be.

5
0
Charlie Clark
Silver badge
Coat

Re: Ruby off the rails

Well, he's technically from Salford on the other side of the River Irwell. Mind you, that's the place where Grand Theft Auto isn't just a game…

0
0

How NoSQL graph databases still usurp relational dynasties

Charlie Clark
Silver badge

Re: Best Tool

Ideally I'd like a seamless NoSQL and SQL database where the most appropriate storage method can be used

What, you mean like Postgres? JSON/hstore support, vertical column support, parallelism, etc.

1
1
Charlie Clark
Silver badge
Thumb Down

Re: Yes but no but

The relational model does have its place, and probably always will, but the big realisation with the NoSQL movement is that one size doesn't fit all, nor does it have to.

Bollocks. In general, an RDBMS is exactly what you want but you'll have to learn how to configure and use it properly. It grew out of Codd's reasoned arguments against the problems associated with the non-relational databases of 1960s, many of which plague the NoSQL systems of today: "consistency, who needs it?".

The NoSQL approach grew out of some niche use cases which the software industry suddenly turned into general problems: volatile document store, time series data.

2
1
Charlie Clark
Silver badge

Traditional database vendors, though, are fighting back. Microsoft's SQL server (as of version 2016) offers a way to store and retrieve JSON data in a relatively painless way, although the data itself is stored in the relational engine.

Does the author only know MS SQL Server? Certainly looks like it.

JSON support has been in Postgres for a while and Postgres 9.5 adds binary support and indexing.

2
0

Firefox features will land out of cycle and Mozilla's cool with that

Charlie Clark
Silver badge

Re: Alternatives to FF and Chrome?

Well, although Vivaldi is using the Chrome browser engine, it's focussing on UX and providing features that users want and use. It ain't there yet, but it's certainly worth a try: http://vivaldi.com

1
0
Charlie Clark
Silver badge

Re: Ohh, Gee...

Memory use in browsers is driven by the size of the DOM and cached resources. DOMs for modern websites, especially those with lots of features (web-mail pages and anything that looks like an application) can be astonishingly high.

The Chromium browsers avoid some of the problems by creating a new process for each tab (uses even more memory but reduces the chance of one rogue tab bringing down the whole browser). Firefox is supposed to be moving towards a similar model.

FWIW I don't use Firefox as my main browser, I'm certainly not a fan of either the "sharing" shit nor out of band feature releases.

0
0
Charlie Clark
Silver badge
FAIL

Might sysadmins notice?

Might sysadmins notice?

Those that care will be running Firefox ESR which won't be following this practice.

Out of band feature releases breaks the principle of semantic versioning but so what? Users are annoyed by changes, especially UI changes, whichever version they come in.

1
0
Charlie Clark
Silver badge

Re: Ohh, Gee...

How does the number of times you tap your screen affect your memory use?

All the browsers switched to using more memory a few years ago. Your computer has it, your OS can manage it and it makes things faster. Get over it.

5
8

DARPA issues collaborative spectrum sharing challenge

Charlie Clark
Silver badge

Explanation required

Hoarding spectrum isn't cool or practical, but if wireless operators everyone wins

I'm obviously too stupid to understand this… please help me.

3
0

William Hague: Brussels attacks mean we must destroy crypto ASAP

Charlie Clark
Silver badge

Re: Fuck it

Lets ban pub car parks as well

In some of the places I've been to recently you don't need to step out into the car park to conduct your illicit activities.

Schaarbeek is full of such places. As are East and North Belfast…

1
0
Charlie Clark
Silver badge

…and all our own secret communications are now longer secret and our secret agents are no longer secret or safe.

Meanwhile, in the real world, the encryption genie is out of the bottle and, like illegal weapons, is being used by people already breaking the law.

2
0
Charlie Clark
Silver badge

In the US it's like gun legislation: virtually never enforced but looks good on telly. You could probably convincingly argue the first amendment makes provision for anonymous phones. But it'll probably never come to that because you'll always be able to pick up a SIM card somewhere.

3
0
Charlie Clark
Silver badge
Thumb Up

Re: I find myself wondering . .

My hovercraft if full of eels.

My hovercraft is full of eels.

FTFY but have an upvote all the same,

2
0
Charlie Clark
Silver badge

It was the utter incompetence of the Belgian authorities.

To be fair, they're under-staffed and suffer significantly from the fragmented government of the autonomous districts that make up Brussels. Cooperation between the various French and Flemish districts is notoriously poor.

To this you can add the various periods where Belgian has only had a caretaker government which has held up all kinds of projects while making sure that the state keeps ticking along.

5
0

Ransomware now using disk-level encryption

Charlie Clark
Silver badge

Re: It's B'stards like these...

Or, we've not been taking security seriously enough for years and hoping that something like this would never happen. I'm sticking my head back under the covers and hoping it goes away. Yeah, that should work.

4
0

Oracle v Google: Big Red wants $9.3bn in Java copyright damages

Charlie Clark
Silver badge
FAIL

Re: Java property of Oracle

What do you think an API is apart from a list of method names, their signatures, and their return values?

6
0

ExoMars probe narrowly avoids death, still in peril after rocket snafu

Charlie Clark
Silver badge

Re: Can't they test the instruments before they get to Mars?

No (and for good reason).

1
1

Confused by crypto? Here's what that password hashing stuff means in English

Charlie Clark
Silver badge

Re: Bah!

And while I agree that salt techniques are important, I disagree with a commentor that they were "missing" from this document

An unsalted hash is merely obfuscated and not encrypted, this is why salts are essential and not optional.

0
0

Microsoft did Nazi that coming: Teen girl chatbot turns into Hitler-loving sex troll in hours

Charlie Clark
Silver badge
Unhappy

What a pity…

… sounds like the first thing worth following on Twitter and they pulled it.

3
0
Charlie Clark
Silver badge

Re: Tay: A river

And isn't Dundee on the Tay? How appropriate.

3
0

Lost in the obits: Intel's Andy Grove's great warning to Silicon Valley

Charlie Clark
Silver badge
Coat

Re: I beg to differ...

I believe this one is yours, sir. ->

2
0
Charlie Clark
Silver badge
Thumb Up

Seeing as most of the article is about the US the swipes against the EU do indeed make little sense. Add to that Germany's manufacturing industry hasn't suffered from being part of the EU. Mind you, Germany's own version of Silicon Valley, dubbed "Silicon Saxony", has been more of a subsidy magnet than a wealth creator.

In summary: Britain's pro-service, anti-industry policy has nothing to do with the EU.

13
1

Microsoft files patent for 'PhonePad', hints at future Windows plans

Charlie Clark
Silver badge

I have a nasty feeling that MS might be claiming royalties from the work others have put into their own implementations of the same requirement.

Well, if that is the case you can't really blame MS but the US patent system which privileges filing even the most spurious patent. Maybe the current dispute over CRISP / CAS9 will help sort out this mess.

However, I can't help thinking that this may be difficult to enforce and invite a raft of claims of prior art. Still, even then the patent could be a useful bargaining chip.

Instances of possible prior that fall out of my addled head: Samsung had a hub function specifically for games; Amazon's WhisperSync across the Kindle/Audible boundary.

1
0

Error checks? Eh? What could go wrong, really? (DoSing a US govt site)

Charlie Clark
Silver badge

Re: jQuery

I can't comment on the code except that it looks a bit odd. It could be, and probably is, just shitty code but the same logic could be written in any language.

I heartily disagree. The world before jQuery was very unpredictable with lots and lots of slightly differently own-rolled code.

jQuery is helping standardise common use cases that, in turn, help standardise the language development and browser implementations. Indeed in many situations it is becoming a victim of its own success: more and more stuff can be moved into CSS. I'm looking forward to seeing more of this.

4
1

Samsung Galaxy S7: Big brand Android flagship champ

Charlie Clark
Silver badge

Re: This is one of my bugbears . . .

Also, £60 to fix not 200 euros, although I did it myself.

I think you may find the S7, especially the Edge, a little more pricey. And, even if you are able to do this kind of repair yourself, many of us aren't. That said, I've not used cases very often and I have yet to break a screen myself. But I see plenty of broken screens when walking around town and my own current phone is someone else's refurbed after they broke the screen…

1
0
Charlie Clark
Silver badge

Out of curiosity, how would a case help with landing screen-down on something sharp, other than if the sharp item is smaller than the case bezel? I'd be surprised if that thin sheet of plastic over the screen would make that much of a difference.

A good case comes with a cover for the screen. As Andrew notes, Samsung does provide some nice cases itself.

1
0
Charlie Clark
Silver badge

Re: Just had a handle of my boss' S7 today

But Samsung's are also very easy to root and put Cyanogenmod on, meaning fast security updates for a long period of time.

It's far from ideal but it's better than nothing.

2
1
Charlie Clark
Silver badge

I think the 4:3 will be related both to the CCD but also to letting you do more in software: you can still take 16:9 images, they'll just be cropped from 4:3. OTOH I've always loved the panorama modes.

The reports are that the CCD is much, much better in lower light than the competition. Still, if I wanted a good digital camera I wouldn't necessarily go for a high-end smartphone, the Nokia stunner being the exception.

1
0
Charlie Clark
Silver badge

Good review

Heise have tested the always on feature and say it matches expectations: briefly lighting up part of an OLED screen really doesn't take much juice.

I passed my first S7 poster today and, in a world where Apple seems eyeing the mid-market, it was very Apple. The S6 Edge gave Samsung a recognisable visual USP for the first time and hopefully they'll make sure they produce enough of the curved screens this year.

I think most people will love the SD card and not worry too much about the battery, loading up with power packs if they think they're going to be without power.

As for a dark theme, well Android N is supposed to come with one of these.

1
0
Charlie Clark
Silver badge

Anything with a reasonably sized glass screen is very likely to break if it lands screen down on anything sharp. Worth getting some kind of case just to avoid the € 200 cost of a screen replacement.

5
1
Charlie Clark
Silver badge

I think that's pretty much what Samsung said at the launch.

2
0

Hands on with the BBC's Micro:Bit computer. You know, for kids

Charlie Clark
Silver badge

Re: License fee funding another management spinoff?

I think the bigger issue is probably: should the BBC be involved in this at all? I think it's a laudable scheme and I'm a big fan of the BBC principle, but I hope that some kind of non-quango will take over the running soon. No need to give the anti-BBC ammo in charter renewal year.

1
0
Charlie Clark
Silver badge

Re: Scratch

It's better seen as a companion device for a Pi: it can be fitted with a 5V lithium cell and left to run. You could use them to set up a network of sensors all reporting to something running on a Pi.

0
0
Charlie Clark
Silver badge

Re: Sod the Microsoft lock-in!

It's not a physical lock-in but "do everything on the MICROSOFT cloud with MICROSOFT tools" lock-in.

This is hardly going to encourage the tinkering for which the Microbits are ideal. Scratch for the RPi already has the visual introduction to programming angle covered.

1
0
Charlie Clark
Silver badge

Sod the Microsoft lock-in!

Microsoft blocks be damned! That's the typical whale song and bollocks designed to stop anything actually happening.

Works great with MicroPython as we had the privilege to see at our local Python user group meeting in January (in German). Though the restriction to 16 kB does severely limit what you can do with it as you can't really run a program and use the Bluetooth stack at the same time.

The benefit will be the 1 million units should, like the RPi, provide a large enough market and could help standardise IoT components.

0
2

FBI backs down against Apple: Feds may be able to crack killer's iPhone without iGiant's help

Charlie Clark
Silver badge
Headmaster

Re: @Charlie Clark precedent

Well, if the cap fits, I'll happily ware (sic) it. ;-)

1
0
Charlie Clark
Silver badge
FAIL

Re: precedent

Great thanks to you the grammar police from a dyslexic without the time to have a second person read all my posts ahead of time. Ride that high horse!

In other words: make the Mexicans spell and make them pay for it

Any dyslexic worth their salt knows how important it is to take the time and to use the relevant tools to reduce errors. The problem with your incomprehensible gibberish was not that it was poorly spelt but that it was incomprehensible: no combination of lose/loose lose/loose could ever make sense in the context.

Trying to pass off your ignorance as a medical condition is shameful.

14
6
Charlie Clark
Silver badge

Re: precedent

Perhaps if there had remained a single, dominant English-speaking country, in the same way as there has been with French or German, say, then there would have been an opportunity to rationalise the language.

Given the omnishambles that was the German spelling reform and the current storm in France over the dropping of the circumflex, I am more than a little sceptical that this would work.

The fact is that most attempts to prescribe language use fail miserably and its absence possibly one of the reasons for English's success.

8
0

Microsoft to add a touch of Chrome to Edge

Charlie Clark
Silver badge

Re: Internet Explorer

Edge doesn't support ActiveX so can't be used for those hideous older Sharepoint sites.

Both Firefox ESR and Chrome can be made be made to work with Group Policy which is why they continue to gain market share in the corporate space.

0
0
Charlie Clark
Silver badge
Thumb Down

Re: Firefox Chrome-a-like

Good luck with that.

XUL, et al are so 2000 and have always suffered from the NiH syndrome. The Chrome extension API is simpler and promotes interoperability.

0
0
Charlie Clark
Silver badge

They ARE standards though. Chrome is just the only player with the resources to implement them quickly. Firefox always gets them eventually, and the losers never do.

Firefox is pretty good at implementing standards and participating in their development.

As for the new IE 6, well that has to be Safari.

2
0

Apple Macs, iPhones, iPads, Watches, TVs can be hijacked by evil Wi-Fi, PDFs – update now

Charlie Clark
Silver badge
Stop

Re: What a toxic hellstew

Yes, you do. OS updates that work across a wide range of devices. Unlike – ahem – certain devices where there's barely a 2% uptake rate of the most recent software fixes.

Apple's record of incorporating fixes for known bugs in upstream POSIX stuff (libXML2, openssl, etc.) is shameful. Pointing out the problems with Android does not detract from this.

5
1
Charlie Clark
Silver badge
Facepalm

Apple continues to depress

Just cherrypicking:

A shedload of bug fixes in libxml2: Processing maliciously crafted XML may lead to unexpected application termination or arbitrary code execution.

I suspect anyone seriously using XML will have their own up to date install of libXML2 via MacPorts or Homebrew. The same goes for the rest of the POSIX stuff: this should all be managed outside the OS so that it can easily be kept up to date with upstream security fixes.

Get with it Apple!

3
0

Yahoo! kills! more! passwords! with! push! notification! app!

Charlie Clark
Silver badge

Actually, using the phone as a replacement for an RSA or similar is quite a nice idea.

Research shows that we all struggle with passwords. Of the various attempts to get rid of them while not reducing security this one seems quite reasonable. Sure: if you lose your phone you might struggle but I think struggling to access Yahoo mail is then probably the least of your worries.

0
3

Forums

Biting the hand that feeds IT © 1998–2017