* Posts by big_D

3747 posts • joined 27 Nov 2009

Data-spewing Spectre chip flaws can't be killed by software alone, Google boffins conclude

big_D Silver badge

And that explains that ARM, Sparc and other processor architectures are also affected, how exactly?

It is an industry wide problem. It is something that dates back to the 90s, when processors weren't used for virtualization and weren't connected to the Internet. The processor designers had taken a line for designing performant multi-threading processors, then the industry decided virtualization was a thing and that connecting to the Internet was a thing.

Instead of going back to basics (and temporarily crippling the performance of new processor generations), they built out the current architectures (PowerPC, ARM, Sparc, Intel, AMD etc.) to allow these new features, but without ensuring that such side channel attacks could be blocked.

Intel does have the most problems, as they have Meltdown as well as nearly all Spectre variants, whereas the other chip designers / producers only have certain Spectre variants to deal with, but none of them come up smelling of roses.

big_D Silver badge

Re: The royal WEEE ???

The computer industry, specifically the chip manufacturers / designers (AMD, ARM, Intel etc.).

Uncle Sam to its friends around the world: You can buy technology the easy way, or the Huawei

big_D Silver badge

Re: "it also makes it more difficult for America to be present"

What he means is, because the hardware wasn't sent from a US company, they have no chance to interdict it and add their own "presence" to the kit before it is delivered, so they can't be "present" on it.

big_D Silver badge

Proof this time?

"We have seen this all around the world, it also makes it more difficult for America to be present," Pompeo was quoted by Reuters as saying.

That must mean that he could actually present some solid proof this time, as opposed to empty rhetoric?

Not heard owt bad about Huawei, says EU Commish infosec bod

big_D Silver badge

Re: On the other hand...

Interestingly, in a report in the news this evening, more Germans find the USA and Trump a threat than Putin and Russia or China and Xi.

big_D Silver badge

On the other hand...

"There are no compelling reasons that I can see to do business with the Chinese, so long as they have the structure in place to reach in and manipulate or spy on their customers. Those who are charging ahead blindly and embracing the Chinese technology without regard to these concerns may find themselves in a disadvantage in dealing with us."

I suppose they should be using Cisco or HP kit, which has been proven that the CIA/NSA has intercepted the latter's hardware and installed spyware in router and switch firmware and the former has patched a few dozen backdoors over the last year.

So, buy from US firms, where it is known that they have been manipulated in the past, or from a Chinese company that the US has alleged does the same thing, but can't provide any proof... Hmm, hard decision.

QNAP NAS user? You'd better check your hosts file for mystery anti-antivirus entries

big_D Silver badge

Re: Source of the NAStiness?

All of my QNAPs are up to date and have not been infected, at least the hosts file hasn't been tampered with.

big_D Silver badge

Re: Source of the NAStiness?

I'm guessing they had some sort of portforwarding on the perimeter pointing to the NAS and they weren't fully patched and/or it was a zeroday.

Just checked my QNAPs and they are fine, but none of them have any services set up to work over the Internet, everything is local network only.

After Amazon's Bezos exposes Pecker, National Enquirer pushes back, promises to probe itself

big_D Silver badge
Childcatcher

The moral of the story?

Don't be a plonker and don't send pictures of your plonker* over the internet.

Regrdless of how rich or poor you are, don't upload anything you wouldn't want on the front page to the internet - and that includes chat apps, cloud storage etc.

* the same goes for women and their bits.

Reliable system was so reliable, no one noticed its licence had expired... until it was too late

big_D Silver badge

Re: Remember Y2K?

I remember spending a long summer in the early 90s re-writing hundreds of COBOL modules of an ERP system to be Y2K compliant. ISTR that they kept 2 digits on the input masks and database and used a sliding window technique to work out the century part for reporting and prefixing dates on the forms.

Yes, early 90s. My employer saw the event coming and wanted everything in and tested long before the final date.

Fujitsu pitched stalker-y AI that can read your social media posts as solution to Irish border, apparently

big_D Silver badge

Re: WTF?

In Germany it is clearly defined. Any person, in public or private who is "featured" in a photo has to give their explicit permission before a photo can be loaded onto the internet or published.

If they are part of a crowd in the background, that is okay, but if they are in the foreground, you need permission.

big_D Silver badge

Re: WTF?

The same is true in Germany. All number plates must be obfiscated before they can be published, the same for people in the car, their faces and identity in general must be protected.

Dashcams are also quasi illegal. A court did decide that the last 30 seconds before a crash can be used as evidence in court, but that's it. Showing it to the insurance company, the police or posting it online is illegal, as is having a camera that constantly saves footage. If it doesn't just keep the last 30 seconds, you can't use it.

big_D Silver badge

Re: WTF?

Luckily ANPR is still illegal over here, for the most part. Police forces have been rapped on the knuckles for using the ANPR photos to try and find offenders of crimes. As the purpose of the ANPR cameras is for average speed on a piece of road, it is illegal to use the information for anything else.

German bureaucracy for you.

big_D Silver badge

Re: Technological Solutions

So, if I have a 4x4 and no social media accounts, I'm golden?

Apple solemnly agrees to pay France $570m in back taxes, turns to camera, gives us a wink

big_D Silver badge

That has been the case for a long time.

When I buy something on Amazon from a British seller, I still need an invoice with their German tax ID.

The seller can sell in any land of the EU without restriction, as long as they are registered for VAT / sales tax in that country.

Amazon had to change a few years back to comply as well. Especially as more and more businesses were buying through Amazon and required a valid Tax Ident. to claim the tax back.

I've had to send a few products back, because the seller on Amazon charged the German 19% MwSt, but didn't have a valid German tax number, so I couldn't reclaim the tax, so I couldn't put it through the books, so the product had to go back and I re-purchased from another seller that did have a valid tax code.

Amazon S.a.r.l can now only charged reduced tax on certain "virtual" items, but even that is limited.

big_D Silver badge

The sales tax is already applied where the sale takes place, not where the company is based.

Corporate tax revenues should then also be calculated on that basis (or per country on a basis of sales in those countries).

big_D Silver badge

The sale takes place where the customer is. Simple.

European Commission orders mass recall of creepy, leaky child-tracking smartwatch

big_D Silver badge

Re: Tip of the Iceberg

For those born after 2000, maybe. For those born in the 20th Century, the aftermath of facism and communism still runs very deep.

For those that grew up in the East, it is especially deep ingrained.

I have a friend who was a teacher at a school in the DDR and lost her Job because one of the other teachers was a Stasi spy and reported her less than euphoric opinion of the Party - she didn't say anything negative, she just wasn't positive enough on that one occassion. She lost her job and could never work as a teacher again.

For people who grew up not knowing whether their parents, their spouse or their children might be spying on them for the Stasi, it is easy to see how the population in general has a hard time coming to terms with governments or corporations spying on them.

That is why drones can't be flown over industrial or residential areas, why number plate recognition cameras are illegal in most states and why CCTV is generally frowned upon and only allowed under certain circumstances.

Dashcams are quasi illegal - you can only use them to record the last 30 seconds before an accident and you (theoretically) can't upload it to YouTube, you can't use it to report someone and if you do upload it, you have to make the numberplates unrecognisable.

Given that background, it is easy to understand why people are reticent to let Google & Co. track them.

My better half is a native German and when she is at a party and people make photos, she explicitly states that they do not have her permission to upload any photos with her in them to the Internet. No tech is allowed into the house with a microphone or camera, with the exception of a smartphone, the laptop and tablet have their cameras taped over.

big_D Silver badge
Boffin

Re: But adults have the same crap

Adults "know" the risks and can make an informed decision, whether they want to be tracked or not.

Well, that is the theory at least.

big_D Silver badge

It depends on where you put the emphasis - and where your mind is.

Is it Rap-Ex or Rape-X? I read it as the former for the first half of the article. The name probably got passed, because English is not the native language of most of the people involved.

Maybe if it had been called VergewaltigungX the Germans might have complained...

big_D Silver badge

Re: Tip of the Iceberg

Having put many locally manufactured products through CE certification with TÜV Nord in Germany, it most certainly doesn't mean China Export.

big_D Silver badge

Re: Tip of the Iceberg

A similar watch was banned in Germany last year.

It allowed the "parent" to listen in on the child at any time, including when they were with friends or in school - which is an invasion of privacy, under German law everybody who can be heard by the device must give their permission, before they can be listened to, as the device listens without warning, it was deemed illegal.

Parents had to return it to the retailer and get their money back or have it destroyed and get a certificate showing it had be correctly destroyed and disposed of.

I won't bother hunting and reporting more Sony zero-days, because all I'd get is a lousy t-shirt

big_D Silver badge
Coat

Re: Really? A shirt?

Well, it was better than the root-kitted USB stick he could have received...

Mine's the one with the USB stick I found in the carpark in the pocket.

Congrats, Satya Nadella. In just five years, you've turned Microsoft from Neutral Evil to, er, merely True Neutral

big_D Silver badge
Facepalm

US Centric

One problem that Microsoft keeps having, not just under SatNad - doesn't my car have one of those, oh, wait, sorry - is that they release a product in the US market, it has moderate success there, it then gets compared to world-wide sales of competitors, is declared a failure and cancelled before users overseas get a chance to get their hands on it - although a couple of times stuff did reach the UK.

For example, the Zune, the touch version wasn't bad, but never made it outside the USA and was compared to iPod sales and canned, even though there were many people showing interest overseas.

The Band, same story, launched in the USA, people overseas wanted one, but it was only ever sold in the USA, Canada and UK.

Cortana? Hardware not available in many countries. Android and iOS versions still not available in countries where the Windows version is available (the excuse is that the backend server infrastructure is not there to support Android and iOS - why do they need a different infrastructure to the Windows version?!?!).

If Microsoft made its products generally available, they might be surprised at how well they could sell. But always limiting it to an audience that has always been more critical of Microsoft in the consumer market and then claiming everything is a failure seems like MS wants the products to fail... :-S

big_D Silver badge

Re: Typo or subtle swipe?

Well, it is already by Microsoft 362 this year...

Google: All your leaked passwords are belong to us – here's a Chrome extension to find them

big_D Silver badge

Re: Which password manager to plump for?

1Password is good, although I currently use LastPass.com.

At my last employer we used an offline password vault (Keepass) for all company passwords - they had contract clauses with many customers that didn't allow sensitive information to be stored in the cloud.

Another used encrypted directories on Linux, with each user having a personal key and their key was added to each password file that they should have had access to. Worked reasonably well, but a real pain when a new admin started or left the company and you had to visit each file individually and add/remove a key from the access list, for example.

RIP, RDP... nearly: Security house Check Point punches holes in remote desktop tools

big_D Silver badge

Fight back...

That was the first thing I thought of as well, when I saw Kali default client was affected.

Cheap call? Hardly. GSM gateway judicial review to settle whether UK Home Sec can legally push comms watchdog around

big_D Silver badge

Re: "eye-wateringly high per-minute rates demanded by telcos back in the early 2000s"

At the time, end of the 90s, I had a girlfriend in Germany and lived in Blights, I was paying around 2-3 quid a minute, and back then that was equivalent to over 1.75 Euros (around 3 Deutschmark) to the pound... And that was from a land line, not from a mobile!

Going through the gateway I was saving around 118-175 quid an hour.

My memory is foggy on exactly how much the normal BT costs were back then on my tariff.

Bug-hunter faces jail for vulnerability reports, DuckDuckPwn (almost), family spied on via Nest gizmo, and more

big_D Silver badge

Re: "16 cameras placed around that home"

My wife isn't paranoid, but no cameras and no microphones in the house (with the exception of a smartphone), her PC has tape over the camera.

Nothing needs IoT.

Boffins debunk study claiming certain languages (cough, C, PHP, JS...) lead to more buggy code than others

big_D Silver badge

Re: poor tools can't be blamed?....sure, sure, suurrrrre

But the frameworks etc. make for huge code.

Just look at Inspectr from grc.com. It has a GUI and uses just over 100KB for the executable, the programmer complained that a majority of that was taken up by the icon!

Now try and write something in C++ or C# with a simple GUI form and probes the hardware and comes in with a fingerprint under 200KB.

big_D Silver badge

Re: It's "What's the best language" all over again

I was refering to 1 or 2 liners that you repeatedly use.

For example string validation, length checking etc. when setting properties.

These are things that should become second nature, but you have a little file somewhere with all the examples, so you can quickly access them.

big_D Silver badge

Re: poor tools can't be blamed?....sure, sure, suurrrrre

And with the later relaxation of line width and come relaxation on column importance, it became a very usable language.

I started on PRIMEOS and later moved to DEC VMS COBOL and MicroFocus COBOL on DOS.

It is a lovely, verbose language, which is easy to read and understand.

I loved the feeling of achievement, when you finally got all the code typed in. Pages and pages of it!

I've programmed on most modern languages since then, but I still have fond memories of COBOL.

Currently using C#, Python, PERL and PowerShell.

big_D Silver badge

Re: It's "What's the best language" all over again

Exactly.

Most good programmers develop very quickly a library of routines / code snippets that do away with simple errors and get automatically incorporated in new code.

big_D Silver badge

Re: poor tools can't be blamed?....sure, sure, suurrrrre

COBOL was great!

big_D Silver badge

Re: It's "What's the best language" all over again

A "good" language doesn't make a good programmer and a good programmer can, probably, write good code in a "poor" language.

That said, typed and compiled langauges should lead to fewer oversights than an untyped, interpreted langauge. But, again, it isn't a guarantee of no/fewer bugs, it should just help eliminate one source of errors, but there are enough other areas still open, E.g. buffer overflows, programmer error etc.

But good design and good testing are still the biggest differentiator.

Apple yoinks enterprise certs from Facebook, Google, killing internal apps, to show its power

big_D Silver badge

Exactly, if it had been a "normal" company, they would be banned for a month or for life. Google and Facebook? Less than a day. Pathetic.

big_D Silver badge

Re: Privacy and safety?

Grrr, thanks. To long in Germany!

big_D Silver badge

Re: Is the same as the OAuth 'Screw' scenario

Enterprise apps don't have a price, as they are for internal use only.

if you purchase external apps for your store, you pay to have them in your store.

in this case, FB and Google were paying the users, not the other way round.

big_D Silver badge

Re: Privacy and safety?

No. This was a programme purely for internal applications within an enterprise. The enterprise can do what it wants (within the law) with the apps distributed internally within the organization.

This was the companies abusing the programme to distribute them to external third parties. Those third parties had agreed to the intrusion by signing up to the app and getting paid for handing over the data.

The problem was that it was a breech of contract for the companies to distribute the apps to non-employees.

That the apps were data slurping sits in second place, but, of course, for news headlines it is much more interesting than a simple breech of contract.

big_D Silver badge

Re: Is the same as the OAuth 'Screw' scenario

Only if that is in the terms and conditions of the contract.

Facebook and Google both entered into a contract for enterprise development, which said they could only deliver apps through that channel to employees and if they tried to distribute software outside of the enterprise they would be in violation of the contract and their certificate would be revoked.

That information was provided to both parties before they signed up to the enterprise programme, so it is little wonder that both parties had their certificates (temporarily) revoked.

I think it is probably the other way round, if it had been a "normal" enterprise or developer, I doubt that the certificates would have been re-instated within 24 hours, it was only because it was Facebook and Google that they managed to pretty much escape unpunished - I think if it was a SME or a "normal" developer, they would either have been out on their arse or they would have had a month or so to think about their actions, before having their privileges restored.

big_D Silver badge

And if you need to use their services, ensure you don't willingly violate them and then act all hurt when you suffer the consequences you knew could befall you, when you are caught.

big_D Silver badge

Re: Seems to me that FB and Google got caught with their hands in the cookie jar

What is "used for good"? The two companies violated the agreed upon contract terms and suffered the punishment as put out in the contract terms.

Nothing more, nothing less.

When your rights depend on the graciousness of some king, and not from rules everybody must abide too, it's always at risk.

And it has nothing to do with the graciousness of some king. These companies enter into a normal business relationship with each other and the terms are set out in advance. Violation of those terms mean that either side can cancel the contract without notice. That is normal business practice, I used to go through about 3 or 4 such agreements every month in my old job.

As a consumer, you also enter into an agreement with Apple, in this instance, and it is also clearly defined what both parties can and can't do. It is therefore your decision to enter into that contract or not.

This has nothing to do with abuse of power. It is simply two contract parties broke the conditions of the contract they entered into and suffered the agreed upon consequences.

big_D Silver badge

Privacy and safety?

While Apple's action can be appreciated from a privacy and safety perspective,

This has absolutely nothing to do with privacy and safety. It is solely a breech of contract terms, terms to which Facebook and Google agreed to when they signed up for the enterprise development programme..

This is Apple just being consequent and enforcing the contract terms that both companies agreed to.

I am not an Apple user, I don't particularly like the company, but in this situation, revoking their certificates was the only thing that Apple could logically do, and both Facebook and Google knew that before they launched their respective spyware to private individuals who didn't work for Facebook or Google through the enterprise programme - the clue is in the name! If they had made the users employees or possibly contractors, it would probably not have been a problem.

Furious Apple revokes Facebook's enty app cert after Zuck's crew abused it to slurp private data

big_D Silver badge

Re: Do these "scandals" have any adverse affect though?

I think just about everybody in my family has left Facepalm and most are leaving WhatsApp behind.

Was talking to my eldest daughter and her friend (he is doing an MSc in computing) and mentioned the combining of WhatsApp, Facebook Messenger and Instagram. She asked what Instagram was! :-O

Are you a Windows 1 in 10 (1809)? Or a mighty 80 percenter (1803)?

big_D Silver badge

1809

I've been on it on all my PCs since the October release and haven't had any problems so far.

Interestingly, installing new machines this week, Microsoft still isn't offering 1809 as an option on updating manually. I had to download the media creation tool in the end.

Apple: Trust us, we've patented parts of Swift, and thus chunks of other programming languages, for your own good

big_D Silver badge

Re: ignoring the fact of Prior Art ?

Yes, and yes it was powerful, although I found the EDT keypad layout more sensible. I had a macro that set the key layout to EDT when TPU started.

big_D Silver badge

Re: ignoring the fact of Prior Art ?

Software isn't patentable in the EU. The courts decided that the existing copyright was enough for software.

big_D Silver badge

Re: ignoring the fact of Prior Art ?

The first thing I thought when I read the first patent is I used something similar in the 1980s for writing software, we had a project that was DCL, COBOL and C and a TPU editor environment that would chain compile the project and open the source code with errors and the error log split screen.

The same with Visual Studio later on...

Whats(goes)App must come down... World in shock as Zuck decides to intertwine Facebook, Instagram, WhatsApp

big_D Silver badge

WhatsApp uploads the complete contact information to Facebook's servers in the USA.

Signal make a one-off hash of the mobile numbers of your contacts and compares them to registered users. Where the hashes match, you and the contact can then see each other, I believe the hashes are then, allegedly, thrown away.

So no names, addresses, email addresses, birthdays etc. are uploaded to Signal, just the hashed phone numbers.

With Telegram you can decide to sync contacts. With WhatsApp, if you turn off contact access, you can't add new friends to WhatsApp and it only displays the telephone numbers, no names.

big_D Silver badge

Signal is the protocol that WhatsApp uses, Signal the app is therefore WhatsApp without the survellance.

Biting the hand that feeds IT © 1998–2019