* Posts by Tomato42

741 posts • joined 31 May 2011

Page:

Holy moley! The amp, kelvin and kilogram will never be the same again

Tomato42
Silver badge

Re: "...using methods that can be replicated anywhere in this Universe."

> The target kilogram, though anchored, would be floating around the lab.

it can also work in a mode in which the acceleration imparted on the object by the electric field is used to derive its mass

3
0

Microsoft menaced with GDPR mega-fines in Europe for 'large scale and covert' gathering of people's info via Office

Tomato42
Silver badge

Re: "The Dutch authorities are working with the company to fix the situation"

Munich was doing just fine with Linux, until one PHB with a vested interest showed up

31
5

Japanese cyber security minister 'doesn't know what a USB stick is'

Tomato42
Silver badge

Re: He actually sounds...

Yet still, he does use a computer, likely on a daily basis.

It's more to do with the problem of spam and just absolute horrendousness of MUAs than his incapability to do so.

2
0

Six critical systems, four months to Brexit – and no completed testing

Tomato42
Silver badge

I don't think she's preventing it, she's doing everything to keep it in quantum superposition

unfortunately she's unaware that superposition can be achieved only for systems with few dozen atoms at a time

23
0

YouTube supremo says vid-streaming-slash-piracy giant can't afford EU's copyright overhaul

Tomato42
Silver badge

Well, if Wojcicki wasn't fully occupied with fucking with legitimate YouTubers uploading original content, maybe YouTube wouldn't have problems with sustaining on copyright-infringing mass-uploaders

6
1

Google: All right, screw it, from this Christmas, Chrome will block ALL adverts on dodgy sites

Tomato42
Silver badge
Pint

"Chrome 71 will remove all ads on the small number of sites with persistent abusive experiences,"

persistent abusive experience?

so... no ads on Facebook, YouTube, Instagram and reddit? cool!

36
0

It's wall-to-wall Huawei: Chinese behemoth hogs five of six top spots in SPC-1 array benchmark

Tomato42
Silver badge

Wow

that's getting used to wipe the floor with if I ever saw one

it's really surprising that other vendors completely surrendered

1
0

It's been a week since engineers approved a new DNS encryption standard and everyone is still yelling

Tomato42
Silver badge

Re: Cat herding

I won't deny that Vixie knows a bit about DNS.

I'm not so sure if his incentives align with Web (and thus DNS) users though.

8
5

TLS proxies? Nah. Truthfully Less Secure 'n' poxy, say Canadian infosec researchers

Tomato42
Silver badge

Re: lesser threat

> provide a warning, and a way for the user to continue past the warning if they deem the risk is acceptable, or if they just don't care.

we had this kind of behaviour in browsers, it is exactly the reason why BEAST was exploitable

and showing HTML error that the user can click through is way, way too late – the authentication cookies were already sent over the insecure channel

1
0

Brexit campaigner AggregateIQ challenges UK's first GDPR notice

Tomato42
Silver badge

Re: An amazing coincidence

@Arthur the cat and if we were talking about any random firms, that could be true. But here we are dealing with crooks. Filing for "bankruptcy" and creating new front for the old operation is crook 101 behaviour.

11
0

Enigma message crack honours pioneering Polish codebreakers

Tomato42
Silver badge

Re: Polish contributions

cryptography in general being marked as Top Secret as late as 1990's is the main reason – e.g Clifford Cocks of GCHQ described RSA good decade before MIT got their RSA patent, but it was secret until 1997

14
0

Don't put the 'd' and second 'i' in IoT: How to secure devices in your biz – belt and braces

Tomato42
Silver badge

Re: "No MDM no connection... if the user doesn't like it, tough"

what? companies generally don't have a "Internet access only, limited at that" guest WiFi network? how do they handle external people that come to negotiate a contract or make a presentation or 50 other different things?

please don't tell me they get a corporate laptop with full access to internal network?

2
0

Python joins movement to dump 'offensive' master, slave terms

Tomato42
Silver badge

Re: SJW Powers Activate

Linux is obviously satanic ...

not only is it satanic because it sacrifices children and deals with zombies, it is also full of deamons!

burn the witch! /s

sigh

1
0
Tomato42
Silver badge

All aboard the euphemism train!

first it was "shell shock", then it was "battle fatigue", then it was "operational exhaustion", and now, after removing all humanity from the term it has become "post-traumatic stress disorder"

because renaming the thing automatically makes it all better, it makes it go all away!

1984 was not an instruction manual, and it was a story about how language controls us if we don't control it

master/slave should stay, just like whitelist/blacklist and basically any other technical term (just go through urban dictionary, you'll find that basically everything but prepositions could be considered offensive to *somebody* )

15
4

Microsoft: You don't want to use Edge? Are you sure? Really sure?

Tomato42
Silver badge

Re: Block IE and Edge

if that Mint wasn't updated for half a year it would need an hour tops to install all updates; unlike Windows, the installation usually takes just an hour, even for the including-kitchen-sink package selection option

now, do install just windows and orfice in an hour

10
3

Y'know what? VoIP can also be free from pesky regulation – US judges

Tomato42
Silver badge

Re: Politics, big tech, and consumers.

TBH, a lot of legislation in the EU is what the crazy party in the US would call "anti-business", it definitely is pro-consumer and yet businesses are doing just fine in the EU

8
1

AI biz borks US election spending data by using underpaid Amazon Mechanical Turks

Tomato42
Silver badge

ah, another technical term completely ruined by markedroids; joins the list of "aero-grade aluminium", "military spec" and "enterprise grade", to mention just few

5
0

Microsoft tells volume customers they can stay on Windows 7... for a bit longer... for a fee

Tomato42
Silver badge

WinXP

Windows XP continued to quietly receive fixes-for-a-fee for some time

why the past tense? Embedded version of Win XP has support still, it ends in next year.

19
3

No, no, you're all wrong. That's not a Kremlin agent. It's someone with 'inauthentic behavior'

Tomato42
Silver badge

"stifling the free exchange of ideas on their platforms."

you mean, exactly what they did during Kavanaugh hearings?

hypocrisy doesn't even begin to describe what the far right is doing in the US, we really need a new word for it

19
1

Linux 4.19 lets you declare your trust in AMD, IBM and Intel

Tomato42
Silver badge

Re: People trust that?

"If they can hide corrupt RNGs in a CPU beyond the ability to detect even via things like x-rays, can't the same technique be used to corrupt any other I/O stream?"

because to turn an RNG to a biased one requires changing the amount of doping in a single transistor (oh, and that counter mode for AES? that's what the Intel design document says how its RNG works; which means there is very little that needs to change to make the counter or the key predictable (and thus RNG's output) to certain people and still completely unpredictable to me and you)

detecting when the USB dongle connected is a custom RNG or just a RS232 bridge or a LHC muon detector requires likely hundreds of transistors or hundreds of cycles

and sure, it's technically possible for a TLA to create such a CPU and plant it in your computer, but if they are interested in you to this degree, the RNG of Intel CPU would be the last thing on my mind

I don't know why you bring shellshock – it was a documented feature with unintended consequences. Regarding heartbleed – because we know that the RNG is the important part, we know that Intel sometimes screws up implementation (fdiv bug for most well known example) and people are specifically looking for problems in it. Nobody was looking for bugs in heartbeat implementation before heartbleed.

1
0
Tomato42
Silver badge

Re: People trust that?

@aldakka: purely in theory, yes

but there are quite a few people that de-lid and de-cap Intel CPUs to look what they actually do on the silicon level, then there's the thing of CPU having very well defined outputs for given inputs, again, something that quite a few people verify before using the CPU in question

and then we have the RNG, circuit that *by design* produces inscrutable and unpredictable outputs for all inputs. Does it do that by encrypting a counter with AES and a key a TLA knows? or does it do that by getting the data from some quantum process? can't really tell (and believe me, people have looked at it, there are plenty of papers on the topic)

so while, yes, one single person can't be certain that the CPU doesn't switch completely predictable bytes in place where the USB provided random bytes should be, as a community we can be reasonably sure it doesn't do that; can't say the same of the built-in RNG

2
0
Tomato42
Silver badge

Re: This is actually useful

VMs should trust the entropy from the hypervisor, and by the time the hypervisor can run, the host will definitely have enough enropy

so it looks like the VMs lacked virtio-rng (or equivalent)

10
0

Give yourselves a pat on the back, top million websites, half of you now use HTTPS

Tomato42
Silver badge

Re: Let's Encrypt Certificates

well, if they are so amazing and you have such good relationship with them – ask them to implement support for automatic provisioning of Let's Encrypt certificates

1
0
Tomato42
Silver badge

Re: Let's Encrypt Certificates

@BillG: Then get a better hosting provider that won't nickel and dime you on things that are mandatory for modern web operation (HTTP/2 anyone?)

0
1
Tomato42
Silver badge

Re: Let's Encrypt Certificates

@BillG the whole point of LE is to automate the issuance of certificates. And for automated script it doesn't matter if the issuance is every week or every year

5
1
Tomato42
Silver badge

ECDSA?

In his blog post, Helme noted that more secure ECDSA

ECDSA is not more secure than RSA, it's just faster for the currently necessary security margins. And once quantum computers enter the picture they are much less secure.

1
1

Just how rigged is America's broadband world? A deep dive into one US city reveals all

Tomato42
Silver badge

Re: Choice

Oh, but you have the ability to choose from over 30 kinds of breakfast cereals! that means you have Freedom™

/s

28
1
Tomato42
Silver badge

Re: There's a worse place?

The Net down under sucks because of physics, not because of unfettered, unlimited and shareholder mandated avarice.

15
4

It's official: TLS 1.3 approved as standard while spies weep

Tomato42
Silver badge

Re: I wonder if....

There is a built-in downgrade protection mechanism, but as the RFC says, it doesn't work for RSA ciphersuites. Additionally, if you can break SHA-1 in real-time, then you can downgrade to TLS 1.1 and earlier. (If you can break SHA-256 is real time you don't have to downgrade to TLS 1.2 as that means you can break TLS 1.3).

RSA ciphersuites you shouldn't be using (see ROBOT), and TLS 1.1 and earlier is useful only for deprecated software (Win XP) or short-sighted software combined with lazy developers (default .NET and, IIRC, PowerShell settings for HTTPS connections).

So it does require a bit of work to plug possible holes, but nothing insurmountable (and really, it's still just hardening at this point, there are no known successful attacks like this).

0
0
Tomato42
Silver badge

Banking industry

From the article:

The way TLS 1.3 works also sparked some last-minute pleading from the banking industry to make a change and effectively introduce a backdoor into the system

To be more exact, it was just some people from the banking industry that were complaining about it, it wasn't a long list or a majority. Few people from the same industry said that they don't need that ability at all. And no, no significant changes were made to accommodate pervasive monitoring.

6
0
Tomato42
Silver badge

Re: no-brainer for sysadmins

Unfortunately the drop in with OpenSSL is not perfect - the only version of OpenSSL that will have TLS 1.3 support is 1.1.1, which is ABI compatible to 1.1.0, but 1.1.0 and 1.0.2 are ABI incompatible.

there is a bit of API incompatibility also between 1.1.0 and 1.0.2, but if an application didn't peek to much under the skirt of OpenSSL, it will require "only" a recompilation to start running on 1.1.0 ABI (and thus get TLS 1.3 with 1.1.1 release)

3
0

May the May update be with you: OpenSSL key sniffed from radio signal

Tomato42
Silver badge

Re: Sidechannel attacks

Constant-time arithmetic for cryptographic code is standard practice these days, and has been for some years. Amateur implementations may lack it, but the grownups all take it into consideration. When a timing side channel is found in a major crypto implementation these days, it's a bug, not a failure to consider the problem.

I didn't say it wasn't written to constant time standard, I said it's not tested to be constant time

1
0
Tomato42
Silver badge

Sidechannel attacks

and to think that most of the security critical code is not tested for constant time execution, let alone constant memory access or constant EM emissions...

7
0

Google keeps tracking you even when you specifically tell it not to: Maps, Search won't take no for an answer

Tomato42
Silver badge

Re: Stuff Like This Should Be Illegal

@MrReal "moon landing conspiracy theory"

Moon landings were a PR job to show superiority of US against USSR, so yes, in the middle of cold war they *had* to tell the truth or the USSR would make fun of them.

you're a nutjob, and if you don't turn around, I guarantee you'll soon believe that Earth is flat, vaccines cause autism and chem-trails control your mind

40
3

UK cyber security boffins dispense Ubuntu 18.04 wisdom

Tomato42
Silver badge

Re: Number of vulns means nothing

having to security vulnerabilities only means *you're not fixing them* ther's no such thing as bug free code at the OS level

5
2

Facebook, Google, Microsoft, Twitter make it easier to download your info and upload to, er, Facebook, Google, Microsoft, Twitter etc...

Tomato42
Silver badge
Trollface

Re: Always makes me chuckle

> given that their business models are all based on the opposite of that.

oh, au contraire! if you don't have full and complete control and secrecy of the collected data, how are you going to monetise it and ensure proper billing?

4
0

Fukushima reactors lend exotic nuclear finish to California's wines

Tomato42
Silver badge

Re: Banana Equivalent Dose (BED)

> but I would hope the commenters here understand what a sievert is.

and if the article gave the exposure in µSv (or likely nSv), I wouldn't complain, what it did is give the following:

> cesium-137 activity from about 7.5 mBq per liter to around 15

And Becquerel is about as intuitive as chains to the hogshead for fuel efficiency.

(I'd also hope that commenters here know that all SI units named after people are capitalised, or do you don't know of Rolf Sievert? j/k)

1
0
Tomato42
Silver badge

Re: Banana Equivalent Dose (BED)

@Symon you misunderstood; BED is not a precise scientific unit, it supposed to be just an aid in understanding if the radiation levels being talked about are well below background radiation, around the background radiation level, or well above it

6
0
Tomato42
Silver badge

yes, our scientific equipment is amazing...

...it can measure differences in dangerous substances couple of orders of magnitude below their dangerous levels

+1 on the BED above; how many hundreds of litres (litre is 1/159th of a tierce, for the metrically-challenged people) that need to be drunk for 1 BED?

8
0

♫ The Core i9 clock cycles go up. Who cares where they come down?

Tomato42
Silver badge

Re: Tick-Tock

Thermal throttling was part of Intel design since Pentium IV; so yes, this is nothing but markedroids "aiming for the sky"

2
0
Tomato42
Silver badge

Re: unless I am wrong

> - high price/flawless hardware.

yes, and this article shows how much flawless that hardware is

don't reply, I don't want you to use up your new (and courageous!) keyboard on drivel

4
3
Tomato42
Silver badge

Re: i9 works great in a suitable chassis

> If that's what it takes, then you may as well buy a desktop.

it fits into a backpack (nothing but it, but still), a desktop + screen + keyboard doesn't

4
0

EU plans for domestic exascale supercomputer chips: A RISC-y business

Tomato42
Silver badge

Re: We can watch if from the UK

yes, Europeans are really bad at at big scientific projects, they never deliver, just look at Large Hadron Collider, I think you can read about it on their fledgling technology called "The Web" (talk about ridiculous naming) that came from the same institution /s

> 15+ years alter, assuming anything is created, itll be something like a 2Ghz 6502.

nobody is saying they have to start from scratch

> If the EU want the hardware then they just need to pay the Taiwanese fabs to create it.

oh, so the foundries in Dresden closed recently? when was that?

> They are pissing money because they dont knwo that value add is the software.

WTF you talk about? all of HPC runs Linux. Just because you don't hear about Google's and GitHub's from EU, doesn't mean EU does not make a lot of software. There's a difference between technology aimed at consumers and technology aimed at corporations.

14
1

GitHub to Pythonistas: Let us save you from vulnerable code

Tomato42
Silver badge

Re: What?

I'm quite sure they started working on it well before acquisition

7
1

Google Chrome update to label HTTP-only sites insecure within WEEKS

Tomato42
Silver badge

Re: http download: 90 seconds, https download >= 45 min

https://istlsfastyet.com/

0
0
Tomato42
Silver badge

the whole point of marking http as insecure is to drop the, as you rightly point out, "secure" identifier on https sites

so that we end with just websites, no "not secure", no "secure", just websites

1
1
Tomato42
Silver badge

well, if you like ISPs injecting ads into your otherwise ad-free websites (https://www.infoworld.com/article/2925839/net-neutrality/code-injection-new-low-isps.html) then, sure, go and continue using http only

I prefer to read what the author intended to be on the website, and http doesn't ensure that.

11
3

Europe's scheme to build exascale capability on homegrown hardware is ludicrous fantasy

Tomato42
Silver badge

Re: What about the software?

Linux is already ported to all the architectures discussed here, and x86 HPC also runs Linux, so that's hardly a problem

the issue is with applications, hand coded assembly in numerical libraries, not with stuff below that

1
0
Tomato42
Silver badge

> I assume it's the French who want to drive this forward using EU money.

I'm quite sure that they (in pure monetary terms) contribute more to the EU budget than they get out, so it's more like "using their money with the help of other countries" than the parasitic-sounding "using EU money"...

5
0
Tomato42
Silver badge

Re: I beg to differ

well, ARM is European, though likely soon not EU, so it's not like we would be starting from zero

and while the foundries in Dresden are of GlobalFoundries, so US coroporation, it does show that they can be competitive

so definitely not an insane idea

3
0

Page:

Forums

Biting the hand that feeds IT © 1998–2018