If you can't beat 'em, buy 'em.
427 posts • joined 17 Oct 2006
The history of networking in a nutshell:
"it's worth noting that security considerations to this approach have yet to be considered: the relevant section is listed as simply "To do.""
Re: One coin worth $293
The devops guy didn't steal them. He accidentally nuked the code to decrypt them, which apparently can't be restored, so now they're just random bits in the wind.
It's as if some web server had exposed an initWallet() function that destroyed and recreated one, and an initWallets() that destroyed and recreated all of them. And they were both 100% public. The facepalm is strong with this company; the fact that he was involved with Etherium's founding is a strong knock against Etherium itself at this point.
So they created a badly-trained machine learning algorithm, limited it to 32x32, and then created an easy attack against it? This is the kind of spam publishing that floods the lower-tier journals. I'm not even remotely interested until it's at least tested against one of the dozens of existing commercial machine learning algorithms.
It might have been relevant in the 90's, when algorithms actually did downsample to such an extreme just to work at all in the processing power available, but this has literally zero implication on anything today, it's pure wankery by academics way out of touch with the state of the industry.
Re: They do have a clue
If IT says "no" to supporting a piece of software that the business bundles, you have much bigger problems. I can't believe Michael Dell wouldn't just summarily fire anyone who would flat out refuse to support a legit business need.
Some manager in the chain probably got a bonus from giving the support contract to a third-party and saving Dell from having to hire or buy anything, though.
It's pretty trivial to live relocate as long as certain conditions are accounted for, as hinted in the article: Turn entry points into mere trampolines to the real code. When you're ready to cycle the code location, copy the code to the new location, rewrite the trampoline, and tear down the old code when you're sure no one is executing it anymore. Code's changed and no caller knows the difference, just like a stable API/ABI.
Why does it even matter?
Only these nutty Etherium wonks would raise hell over the fact that someone put another tool in the toolbox, even if it's only rarely going to be used. There are lots of uses of SHA-1 (and MD5, and CRC32) that aren't even related to security at all, so the push to phase it out in favor of something stronger is a lot less compelling. Do they cry that every other major programming language's standard library also has an implementation?
Re: Without examples, good English doesn't tell you much
MDN's big strength compared to crap like W3S is that it includes a number of in-depth examples, documentation on inheritance order and how modifiers affect it, and other information that can help both novices and pros track down problems and solve tricky things more efficiently. It's not just the fact that they write English clearly, they also write code clearly. (And yes, they do integrate good stuff from Stack Exchange.)
Unlike MSDN, they aren't written primarily by first-year junior interns and only reviewed by senior developers when they want to, and unlike W3S, they don't just give a barely surface-level overview of with a trivial 3-line example of usage.
Re: Is anything ever obsolete?
> The issue is not the age of the existing digital standard, it's the time taken since the last time that people were forced to upgrade their sets or settop boxes on pain of them no longer working.
Like I said, what's the point? By the time the standard is hashed out, ratified, implemented, and finally cut over, you're looking at a minimum of another decade, maybe even two. But thanks for ignoring that.
Re: Is anything ever obsolete?
That's mainly because the standard was way ahead of video technology of the day; it wasn't until the late 80's that televisions could even show off the full fidelity of the standards. Admittedly, for its time, both NTSC and PAL were good technology that used an enormous amount of bandwidth to make up for their simplicity. Raw NTSC is about 50-100MB/s, depending on how accurate you want color to be, meaning that you could store a whole 1.5-3 minutes of raw video on a DVD-9. It took a LONG time to outgrow that, but once HD showed up, that was that.
On the other hand, there's now lots of investment in continually improving the state of the art, and where ATSC could meet the needs of HD easily, it's again not going to work for 4K or HDR/deep color. This changeover is as much consumer-driven as industry-driven.
It's not like ATSC 1 barely came into being and now it's time to toss it, it's over 20 years old as well (though the H.264 extension is only 10 years old). By the time the new standard is ratified and anyone starts broadcasting with it, we're probably looking at another decade at least. There's only so much future-proofing you can put into digital technology with fancy algorithms, since it still has to be cheap enough to purchase early on.
Their trade secret route to reducing short-lived file overhead
Making every hash default to all zero, and actually hashing dirty blocks for real during periods of lower disk contention or after a set time expires? Seems straightforward enough. (Obviously also communicating with the OS, though interesting possibilities if you could get the OS to send a Trim when a file is deleted.) That would suck for blocks that randomly do hash out to zero, but they just get put in the "sorry, you don't get dedup" bucket. Even a 32-bit key pretty much obviates any need to care about that, losing one billionth of a percent of theoretical efficiency overall.
ZFS was an amazing feat of engineering, but "overengineered" doesn't even begin to scratch the surface. All of its competitors have struggled to achieve 90% of its efficiency while reducing the huge disk and memory footprint it requires, and it looks like X-IO might have really cracked open the nut.
Sadly, this just means NetApp, EMC, or Oracle is going to buy them out and silo their tech forever.
Dumb bug of the week: Outlook staples your encrypted emails to, er, plaintext copies when sending messages
Re: I've recently seen a current version of Outlook...
Microsoft went all-in with better quicksearch over threading, topics, manual organization and tags, etc, after Google completely blew away the idea of manually organizing mail for most of the population. It turns out that only about 1% actually care that much, the rest just want some way to access it. Granted Office 2007 sucked balls in almost every way, but most of the Outlooks since 2010 have been relatively solid if you don't need it to act like a 90's Usenet reader.
It is obvious that investment has stalled for a long time, though; the answer to most Outlook feature requests has been "Use Sharepoint!" for a decade now. Great, now I have two problems.
Microsoft claimed the exploitation of this bug was "unlikely" in the wild.
Mostly because S/MIME is an essentially dead protocol, that only a handful of people have ever bothered with....
Re: Well, i hope it happens ...
Did the geologist also talk about Atlantis? Because that scenario sounds about as likely to happen as Godzilla climbing out of the waters to destroy the island. In case you hadn't noticed, the other Hawaiian islands that were formed by the same moving fissure are all still there, slowly eroding away. Please look up the "Hawaiian–Emperor seamount chain" for a more realistic idea of what happens to the island chain as the fissure moves.
If windbg wasn't supposed to be used by beginners, then !analyze -v wouldn't exist. Think about that for a second, your argument is essentially that all conveniences should be stripped away and everyone, pros and neophytes alike, should be made to suffer more, because suffering through it is what makes you a pro.
Far better to get beginners used to working with windbg and ease them into the more complex parts of debugging so that some of them can become pros. Anyone who would use windbg in the first place is already someone who wants to be a pro anyway, it's not exactly a mass-market application.
Re: Know your market
So what, just turn the ribbon off if you hate it. Meh, I'm actually willing to see what it looks like in action instead of condemning the mere idea of change, otherwise I'd be using cdb instead of windbg.
You managed to completely miss the point with both replies. No one was asking for some kind of historical perspective on the protocol, no one cares, it sounds like you're trying to excuse away problems by claiming that there's nothing we can do because it was designed years ago.
The whole point of the posts you're replying to is asking WHEN are they going to be fixed, so that a rogue actor can't maliciously bring down the internet easily, even if for a short time. (And ranting that no one seems to care enough about a gaping hole to do anything.)
Not just the late 90's; I did that in 2013 or so with relatively recent HP gear. Brought a desktop into the datacenter to act as a network capture device, plugged it in, and POW. No auto input switching. Fortunately, it wasn't hard to scrounge a power supply, but you certainly learn your lesson after that.
This has long since evolved
Now, if you don't have screenshots or better yet video recording, with some kind of cryptographic watermark from the system, they'll just accuse you of faking it all, because saving their own pride is far more important than your job or reputation.
Re: The best way to acquire a programming skill
I mean that works if you have lucid API documentation. If it doesn't, you're basically spending weeks spelunking the source code and/or throwing calls against the way to see what works. And hopefully writing the API docs yourself, since no one else bothered to.
Re: Async not always easy
Aside from shelling out, Python also has fully-working dll/so support, with the ctypes library or one of its pretty wrappers, saving even more overhead versus spinning up an executable and parsing its stdout. Practically all of the important libraries have cpu-intensive operations in compiled .pyd (which is just a dll/so), and quite a few wrappers exist to call out to standard libs.
Re: Python 3 split over?
Programmers who consider Unicode an "unnecessary incompatibility" are the reason why so much software is fundamentally broken anytime it encounters anything that isn't Latin-1. I don't know about you, because you probably never had to touch foreign words or names at all, but Code Pages were a damned nightmare to anyone who actually wanted to do things right.
It really isn't that difficult to figure out bytes vs strings. You guys have had 10 years to wrap your heads around it, and all you have to do is do the right thing. It's not like Python 2.7 is going anywhere, literally all you have to do is convert your shell files from calling python to python2 to make them work, but you're too incompetent to even do that!
This is literally no different from the worthless sysadmins that still complain about Perl 6 and Linux 3, because it violates their comfortable safe space, and they just want to get paid to never have to learn anything ever again.
Re: I'll wait...
Good luck with that; PHP seems to be the only language interested in major versions anymore, and its major versions would be minor versions to any other language. Python is probably going to be asymptotically on 3 forever.
Re: opponents are using guerrilla tactics
I'm not surprised at all that the recipients of billions of pounds a year in taxes to distribute as they see fit are fighting tooth and nail to keep the taxes coming in.
Might as well just do it
gTLDs broke a LOT more internet hardware and software that for some reason included a hardcoded list that it wouldn't deviate from. Heck, some were so bad that they didn't even allow ccTLDs. There are some times when breaking bad assumptions is the only way to go, and given the non-impact on the vast majority of OSes, hardware, and software, might as well just make it happen.
Re: Who's to say we will have to wait until 2020?
That's all anyone needs, a continuation of using the FCC as a proxy war for Congressional power. The only losers in this war is everyone.
Re: What is this ?
All of which go out of date about 5 minutes after you walk away from the machine. Or so long and bitter experience tell me..
Learning to let go lessened my stress significantly. Once managed switches became a thing, it was much simpler to just track the MAC through a breadcrumb trail of ARP & mac-address tables until I found the final port, then it usually wasn't much effort to find the PC. (The massive sales office switch being the only exception.)
Finding wireless devices, on the other hand, that's the REAL fun.
Re: Why so much anger?
"It shouldn't be" is something kids say. It just is, and the better you are at it, the more clients love you. I actually joined my current business partner partly because he's a basket of nerves and hates dealing with client rage, and I can just shrug it off and take the brunt. You'd be surprised how much letting someone vent calms them down. (I still prefer it when they find a more suitable target, of course.)
Law enforcement disposes of evidence after a conviction. Sometimes it's by dumpster, sometimes it's by auction, but they don't really care what happens. It's not like many privacy laws were in effect when they auctioned it off the first time.
This is unnecessarily harsh
I'm pretty sure DevOps still includes the Ops part, and while a lot of "DevOps" kiddies I've met are basically hotshot programmers who've learned a couple of tricks about deploying and debugging the OS and slap the hot title du jour on themselves, there will always be room for operators who intimately know their software and hardware, even if they didn't develop it themselves. A big part of the value proposition of DevOps is that we can be fairly seamlessly pulled off of a development project to manage an operations project.
With any luck, we can leverage their development background to make something better than the usual Perl monstrosities that function as glue code. At its best, it's not just that we fuse the roles, it's that we can step into whatever role we're needed in and do better.
On the other hand, consultants are consultants, and any buzzword you hear is no better than any other buzzword. Any business hoodwinked by that deserves their fate.
Honestly, if a business wants to grab an ERP and try to shoehorn it in on the cheap, more power to them. When they need to go beyond the basic COTS customization capabilities, hopefully they'll call or hire someone capable.
"Doesn't matter if they don't let you have the money, show no interest in letting you have it, and fire you because you couldn't use it." ... and then demand that you pay it back.
Re: Beancounters are odd
@Christian, that's by far the worst misinterpretation of Banker's Rounding I've ever seen. Congratulations!
The results would make sense if they were using a "round to odd" variation of the common "round to even" scheme.
Re: Not a PC but...
The best part of 2G text messages is that you could hear them on any unshielded speaker, a couple seconds before your phone figured out that it had something to show you. The pattern was extremely distinct.
Re: It shows that there is one feature missing
What do you mean, "If there was a feature," just use TLS, don't use the pre-shared key method. It's explicitly recommended against in the documentation. TLS (with or without an additional PSK auth) already gives you perfect forward secrecy and has for over a decade.
Just stop being lazy and use certificates.
Re: Details, details...
Nope, doesn't have to succeed; it's during the processing of the initial certificate exchange that it happens. An actual RCE hasn't been demonstrated, just a crash, but of the sort that an RCE could probably be created from. Another potential RCE, as well as multiple information leakages, are available if the attacker actively manipulates data MITM (which is usually only possible if server verification is turned off).
Oh, he knew.
"As for the hotel, its head of PR has chosen the wrong moment to take a day off. A harassed assistant promised to get back to us."
I have a feeling the head of PR chose exactly the right day to take off, after getting wind of a problem of this size.
Re: "Sounds like a lawsuit"
"After a stunt like that on a credit card:"
Despite being a debit card, it's still processed on the hotel's side as if it was a credit card. Their payment gateway is going to have some words for them, if they aren't dropped entirely, and Visa is probably going to have some very serious words with both the processor and the bank for allowing so many obviously anomalous transactions to go through.
I've yet to see a single piece of ransomware that would transparently decrypt for the convenience of its users for a whole month to run out the backup clock, while at the same time serving encrypted bytes to backup software. Can you name a single one? Despite the obviousness, that's not a trivial creation; ransomware never bothers because they're all about the smash-and-grab, not nation-state injection.
Those are bugs?
"....here are the bugs the review did turn up:
* There's a buffer library API that handles dynamically allocated memory safely;
* Wrappers like strncpyt() and openvpn_snprintf() protect unsafe C standard libraries by protecting against buffer overflows and unsafe NULL termination; and
* Keys and other sensitive data are securely wiped from memory to prevent information leaks."
A bit more explanation might be needed?
Re: Dries Buytaert is a joke
One of the first things they pound into HR's heads is that you can't bring up why someone left, or you can be faced with a lawsuit. He brought up that it was all over being Gorean, HR (or in this case, the lead) can refute the specific claim, but they still don't get to air all the dirty laundry, especially if there's a lot of bickering and he-said-she-said.
To me, it sounds like he was involved in a lot of internal strife, and it was him or someone else (or maybe even both). It's perfectly reasonable to fire someone who is causing office issues, unless it's for being a protected class.
Uber and Oracle
Two of the most sleaziest and most hated companies in the entire industry, by men and women alike, and they just happen to be your only two examples. There certainly are more out there, but the fact that the tabloid-headline-grabbing excesses of a mere _two_ companies out of the hundreds of thousands of companies that employ IT and software devs points more to shallow thinking and reaction to headlines than a reasoned position.
I wonder how much of the IPv6 resistance...
...came from the ludicrously long public addresses and the insistence that all internal addresses be external addresses. It's IANA's fault, they began the idiotic policy of beginning all registrations with 2001:0200::/23, then 2001:0400::/23, etc, so all public addresses start ugly and painful. Only in 2006 did they start allocating 2400::/12, 2600::/12, because everyone HATED the old scheme. Then ISPs do the same thing with their allocations, so you get to start off with something like 2601:201:8201:9390::/56 (my actual Comcast allocation) before you can even start using your own digits.
Then there was the constant drum-banging for a decade about how "NAT is evil, NAT is not security, NAT is a kludge." The entire reason that IPv6 is 128 bits instead of 64 bits is that NAT was supposed to go away forever, and we would all be in the glorious world where every network-connected device is public again.
Of course NAT is one layer of security, and admins actually don't think allowing all of their PCs to be publicly accessible for the latest vulnerability du jour is a good idea! The bad taste of that crusade and the related overengineering probably retarded IPv6's growth by a decade.
I guess you've never worked as an independent contractor, where the rule is to acquire the licenses first, then bill the entity on a cost-plus basis for the time involved. After all, most jobs are legit and pay on time, and running around with a client's credit card is seen as a serious faux pas.
Most likely the tech really did shoulder the £62K on his own; he says he already billed them and had proceeded to a civil suit before cutting them off, so what more do you want from him?
Re: Not work but...
Once you see how bad it is, it's a lot easier to just boot it up with a usb/cd of the new OS, clear partitions, and start fresh. Fighting for control is a lost cause.
Drunken Dr. Seuss
I am amused by the juxtaposition seen in this article.
Re: Errm ...
"UK libel law is something I don't understand. Now you have to be able to prove everything you write, even in private. Absurd."
Slander, the spreading of defaming stories in private, has been a tort in Common Law far longer than the UK has had colonies, and is much the same in the US. This isn't UK libel law, it's UK defamation law, encompassing both public and private statements.
Re: "Mechanical Sympathy" and magic
Many years ago, Microsoft RDP and Citrix had an odd bug that sometimes caused a modifier key (shift, ctrl, etc) to stick despite being unpressed. Ever since then, I've always had a habit of running a finger across all the modifier keys just in case, when a password doesn't work the first time, to "remind" the system of the actual state of the keys. It seems to work! I rarely mistype my password twice in a row. ;)
Re: The last trump?
That name would be tantamount to high treason, a hanging offense....
It'll obviously be Republican People's Republic of North America.
Think of it more as adding 50% more satellites to the GPS cloud -- 100% more within a few years. Significantly better accuracy for the whole world, no chance the US could one day say "not yours."
There were never any big instruction set changes to the Alpha, once it was done it was done, later revisions just sped up the chips. DEC/Compaq fronted most of the money and half the engineering to make it happen, because their customers wanted it. It was far more than a marketing ploy, but once Compaq threw in the towel, there was no way Microsoft was going to shoulder all of the burden.
The speed challenges were always more about the crappy compiler, anyway; Microsoft's Alpha C compiler was worse than UNIX ones, and much worse than its x86 compiler. (Which if you've used VC6, is saying quite a bit!)