* Posts by Tomato42

730 posts • joined 31 May 2011

Page:

Don't put the 'd' and second 'i' in IoT: How to secure devices in your biz – belt and braces

Tomato42
Silver badge

Re: "No MDM no connection... if the user doesn't like it, tough"

what? companies generally don't have a "Internet access only, limited at that" guest WiFi network? how do they handle external people that come to negotiate a contract or make a presentation or 50 other different things?

please don't tell me they get a corporate laptop with full access to internal network?

2
0

Python joins movement to dump 'offensive' master, slave terms

Tomato42
Silver badge

Re: SJW Powers Activate

Linux is obviously satanic ...

not only is it satanic because it sacrifices children and deals with zombies, it is also full of deamons!

burn the witch! /s

sigh

1
0
Tomato42
Silver badge

All aboard the euphemism train!

first it was "shell shock", then it was "battle fatigue", then it was "operational exhaustion", and now, after removing all humanity from the term it has become "post-traumatic stress disorder"

because renaming the thing automatically makes it all better, it makes it go all away!

1984 was not an instruction manual, and it was a story about how language controls us if we don't control it

master/slave should stay, just like whitelist/blacklist and basically any other technical term (just go through urban dictionary, you'll find that basically everything but prepositions could be considered offensive to *somebody* )

15
4

Microsoft: You don't want to use Edge? Are you sure? Really sure?

Tomato42
Silver badge

Re: Block IE and Edge

if that Mint wasn't updated for half a year it would need an hour tops to install all updates; unlike Windows, the installation usually takes just an hour, even for the including-kitchen-sink package selection option

now, do install just windows and orfice in an hour

10
3

Y'know what? VoIP can also be free from pesky regulation – US judges

Tomato42
Silver badge

Re: Politics, big tech, and consumers.

TBH, a lot of legislation in the EU is what the crazy party in the US would call "anti-business", it definitely is pro-consumer and yet businesses are doing just fine in the EU

8
1

AI biz borks US election spending data by using underpaid Amazon Mechanical Turks

Tomato42
Silver badge

ah, another technical term completely ruined by markedroids; joins the list of "aero-grade aluminium", "military spec" and "enterprise grade", to mention just few

5
0

Microsoft tells volume customers they can stay on Windows 7... for a bit longer... for a fee

Tomato42
Silver badge

WinXP

Windows XP continued to quietly receive fixes-for-a-fee for some time

why the past tense? Embedded version of Win XP has support still, it ends in next year.

19
3

No, no, you're all wrong. That's not a Kremlin agent. It's someone with 'inauthentic behavior'

Tomato42
Silver badge

"stifling the free exchange of ideas on their platforms."

you mean, exactly what they did during Kavanaugh hearings?

hypocrisy doesn't even begin to describe what the far right is doing in the US, we really need a new word for it

19
1

Linux 4.19 lets you declare your trust in AMD, IBM and Intel

Tomato42
Silver badge

Re: People trust that?

"If they can hide corrupt RNGs in a CPU beyond the ability to detect even via things like x-rays, can't the same technique be used to corrupt any other I/O stream?"

because to turn an RNG to a biased one requires changing the amount of doping in a single transistor (oh, and that counter mode for AES? that's what the Intel design document says how its RNG works; which means there is very little that needs to change to make the counter or the key predictable (and thus RNG's output) to certain people and still completely unpredictable to me and you)

detecting when the USB dongle connected is a custom RNG or just a RS232 bridge or a LHC muon detector requires likely hundreds of transistors or hundreds of cycles

and sure, it's technically possible for a TLA to create such a CPU and plant it in your computer, but if they are interested in you to this degree, the RNG of Intel CPU would be the last thing on my mind

I don't know why you bring shellshock – it was a documented feature with unintended consequences. Regarding heartbleed – because we know that the RNG is the important part, we know that Intel sometimes screws up implementation (fdiv bug for most well known example) and people are specifically looking for problems in it. Nobody was looking for bugs in heartbeat implementation before heartbleed.

1
0
Tomato42
Silver badge

Re: People trust that?

@aldakka: purely in theory, yes

but there are quite a few people that de-lid and de-cap Intel CPUs to look what they actually do on the silicon level, then there's the thing of CPU having very well defined outputs for given inputs, again, something that quite a few people verify before using the CPU in question

and then we have the RNG, circuit that *by design* produces inscrutable and unpredictable outputs for all inputs. Does it do that by encrypting a counter with AES and a key a TLA knows? or does it do that by getting the data from some quantum process? can't really tell (and believe me, people have looked at it, there are plenty of papers on the topic)

so while, yes, one single person can't be certain that the CPU doesn't switch completely predictable bytes in place where the USB provided random bytes should be, as a community we can be reasonably sure it doesn't do that; can't say the same of the built-in RNG

2
0
Tomato42
Silver badge

Re: This is actually useful

VMs should trust the entropy from the hypervisor, and by the time the hypervisor can run, the host will definitely have enough enropy

so it looks like the VMs lacked virtio-rng (or equivalent)

10
0

Give yourselves a pat on the back, top million websites, half of you now use HTTPS

Tomato42
Silver badge

Re: Let's Encrypt Certificates

well, if they are so amazing and you have such good relationship with them – ask them to implement support for automatic provisioning of Let's Encrypt certificates

1
0
Tomato42
Silver badge

Re: Let's Encrypt Certificates

@BillG: Then get a better hosting provider that won't nickel and dime you on things that are mandatory for modern web operation (HTTP/2 anyone?)

0
1
Tomato42
Silver badge

Re: Let's Encrypt Certificates

@BillG the whole point of LE is to automate the issuance of certificates. And for automated script it doesn't matter if the issuance is every week or every year

5
1
Tomato42
Silver badge

ECDSA?

In his blog post, Helme noted that more secure ECDSA

ECDSA is not more secure than RSA, it's just faster for the currently necessary security margins. And once quantum computers enter the picture they are much less secure.

1
1

Just how rigged is America's broadband world? A deep dive into one US city reveals all

Tomato42
Silver badge

Re: Choice

Oh, but you have the ability to choose from over 30 kinds of breakfast cereals! that means you have Freedom™

/s

27
1
Tomato42
Silver badge

Re: There's a worse place?

The Net down under sucks because of physics, not because of unfettered, unlimited and shareholder mandated avarice.

15
4

It's official: TLS 1.3 approved as standard while spies weep

Tomato42
Silver badge

Re: I wonder if....

There is a built-in downgrade protection mechanism, but as the RFC says, it doesn't work for RSA ciphersuites. Additionally, if you can break SHA-1 in real-time, then you can downgrade to TLS 1.1 and earlier. (If you can break SHA-256 is real time you don't have to downgrade to TLS 1.2 as that means you can break TLS 1.3).

RSA ciphersuites you shouldn't be using (see ROBOT), and TLS 1.1 and earlier is useful only for deprecated software (Win XP) or short-sighted software combined with lazy developers (default .NET and, IIRC, PowerShell settings for HTTPS connections).

So it does require a bit of work to plug possible holes, but nothing insurmountable (and really, it's still just hardening at this point, there are no known successful attacks like this).

0
0
Tomato42
Silver badge

Banking industry

From the article:

The way TLS 1.3 works also sparked some last-minute pleading from the banking industry to make a change and effectively introduce a backdoor into the system

To be more exact, it was just some people from the banking industry that were complaining about it, it wasn't a long list or a majority. Few people from the same industry said that they don't need that ability at all. And no, no significant changes were made to accommodate pervasive monitoring.

6
0
Tomato42
Silver badge

Re: no-brainer for sysadmins

Unfortunately the drop in with OpenSSL is not perfect - the only version of OpenSSL that will have TLS 1.3 support is 1.1.1, which is ABI compatible to 1.1.0, but 1.1.0 and 1.0.2 are ABI incompatible.

there is a bit of API incompatibility also between 1.1.0 and 1.0.2, but if an application didn't peek to much under the skirt of OpenSSL, it will require "only" a recompilation to start running on 1.1.0 ABI (and thus get TLS 1.3 with 1.1.1 release)

3
0

May the May update be with you: OpenSSL key sniffed from radio signal

Tomato42
Silver badge

Re: Sidechannel attacks

Constant-time arithmetic for cryptographic code is standard practice these days, and has been for some years. Amateur implementations may lack it, but the grownups all take it into consideration. When a timing side channel is found in a major crypto implementation these days, it's a bug, not a failure to consider the problem.

I didn't say it wasn't written to constant time standard, I said it's not tested to be constant time

1
0
Tomato42
Silver badge

Sidechannel attacks

and to think that most of the security critical code is not tested for constant time execution, let alone constant memory access or constant EM emissions...

7
0

Google keeps tracking you even when you specifically tell it not to: Maps, Search won't take no for an answer

Tomato42
Silver badge

Re: Stuff Like This Should Be Illegal

@MrReal "moon landing conspiracy theory"

Moon landings were a PR job to show superiority of US against USSR, so yes, in the middle of cold war they *had* to tell the truth or the USSR would make fun of them.

you're a nutjob, and if you don't turn around, I guarantee you'll soon believe that Earth is flat, vaccines cause autism and chem-trails control your mind

39
3

UK cyber security boffins dispense Ubuntu 18.04 wisdom

Tomato42
Silver badge

Re: Number of vulns means nothing

having to security vulnerabilities only means *you're not fixing them* ther's no such thing as bug free code at the OS level

5
2

Facebook, Google, Microsoft, Twitter make it easier to download your info and upload to, er, Facebook, Google, Microsoft, Twitter etc...

Tomato42
Silver badge
Trollface

Re: Always makes me chuckle

> given that their business models are all based on the opposite of that.

oh, au contraire! if you don't have full and complete control and secrecy of the collected data, how are you going to monetise it and ensure proper billing?

4
0

Fukushima reactors lend exotic nuclear finish to California's wines

Tomato42
Silver badge

Re: Banana Equivalent Dose (BED)

> but I would hope the commenters here understand what a sievert is.

and if the article gave the exposure in µSv (or likely nSv), I wouldn't complain, what it did is give the following:

> cesium-137 activity from about 7.5 mBq per liter to around 15

And Becquerel is about as intuitive as chains to the hogshead for fuel efficiency.

(I'd also hope that commenters here know that all SI units named after people are capitalised, or do you don't know of Rolf Sievert? j/k)

1
0
Tomato42
Silver badge

Re: Banana Equivalent Dose (BED)

@Symon you misunderstood; BED is not a precise scientific unit, it supposed to be just an aid in understanding if the radiation levels being talked about are well below background radiation, around the background radiation level, or well above it

6
0
Tomato42
Silver badge

yes, our scientific equipment is amazing...

...it can measure differences in dangerous substances couple of orders of magnitude below their dangerous levels

+1 on the BED above; how many hundreds of litres (litre is 1/159th of a tierce, for the metrically-challenged people) that need to be drunk for 1 BED?

8
0

♫ The Core i9 clock cycles go up. Who cares where they come down?

Tomato42
Silver badge

Re: Tick-Tock

Thermal throttling was part of Intel design since Pentium IV; so yes, this is nothing but markedroids "aiming for the sky"

2
0
Tomato42
Silver badge

Re: unless I am wrong

> - high price/flawless hardware.

yes, and this article shows how much flawless that hardware is

don't reply, I don't want you to use up your new (and courageous!) keyboard on drivel

4
3
Tomato42
Silver badge

Re: i9 works great in a suitable chassis

> If that's what it takes, then you may as well buy a desktop.

it fits into a backpack (nothing but it, but still), a desktop + screen + keyboard doesn't

4
0

EU plans for domestic exascale supercomputer chips: A RISC-y business

Tomato42
Silver badge

Re: We can watch if from the UK

yes, Europeans are really bad at at big scientific projects, they never deliver, just look at Large Hadron Collider, I think you can read about it on their fledgling technology called "The Web" (talk about ridiculous naming) that came from the same institution /s

> 15+ years alter, assuming anything is created, itll be something like a 2Ghz 6502.

nobody is saying they have to start from scratch

> If the EU want the hardware then they just need to pay the Taiwanese fabs to create it.

oh, so the foundries in Dresden closed recently? when was that?

> They are pissing money because they dont knwo that value add is the software.

WTF you talk about? all of HPC runs Linux. Just because you don't hear about Google's and GitHub's from EU, doesn't mean EU does not make a lot of software. There's a difference between technology aimed at consumers and technology aimed at corporations.

14
1

GitHub to Pythonistas: Let us save you from vulnerable code

Tomato42
Silver badge

Re: What?

I'm quite sure they started working on it well before acquisition

7
1

Google Chrome update to label HTTP-only sites insecure within WEEKS

Tomato42
Silver badge

Re: http download: 90 seconds, https download >= 45 min

https://istlsfastyet.com/

0
0
Tomato42
Silver badge

the whole point of marking http as insecure is to drop the, as you rightly point out, "secure" identifier on https sites

so that we end with just websites, no "not secure", no "secure", just websites

1
1
Tomato42
Silver badge

well, if you like ISPs injecting ads into your otherwise ad-free websites (https://www.infoworld.com/article/2925839/net-neutrality/code-injection-new-low-isps.html) then, sure, go and continue using http only

I prefer to read what the author intended to be on the website, and http doesn't ensure that.

11
3

Europe's scheme to build exascale capability on homegrown hardware is ludicrous fantasy

Tomato42
Silver badge

Re: What about the software?

Linux is already ported to all the architectures discussed here, and x86 HPC also runs Linux, so that's hardly a problem

the issue is with applications, hand coded assembly in numerical libraries, not with stuff below that

1
0
Tomato42
Silver badge

> I assume it's the French who want to drive this forward using EU money.

I'm quite sure that they (in pure monetary terms) contribute more to the EU budget than they get out, so it's more like "using their money with the help of other countries" than the parasitic-sounding "using EU money"...

4
0
Tomato42
Silver badge

Re: I beg to differ

well, ARM is European, though likely soon not EU, so it's not like we would be starting from zero

and while the foundries in Dresden are of GlobalFoundries, so US coroporation, it does show that they can be competitive

so definitely not an insane idea

3
0

Astronaut took camera on spacewalk, but forgot SD memory card

Tomato42
Silver badge

Re: The man is 53, for god's sake!

> I very much doubt the astronauts have a supply of SD cards for putting in various things.

Actually, they have quite a few DSLRs on ISS that they can freely use to take pictures in their spare time, so, yes, they do have a supply of SD cards

0
0

Creep travels half the world to harass online teen gamer… and gets shot by her mom – cops

Tomato42
Silver badge

Re: @Tomato ...@AC ... The cat is pretty well out of the bag already

@ Ian Michael Gumby

> First, legally, he couldn't get a gun.

really? in country with such lax laws that they are essentially non-existent (ekhm https://en.wikipedia.org/wiki/Gun_show_loophole ekhm)

also, what happened to the "if making owning guns illegal, only criminals would have them", he isn't exactly an upstanding member of society, now is he?

> However in the UK... you have really weird gun laws.

there is a world outside anglophone countries, you know...

0
6
Tomato42
Silver badge

Re: @AC ... The cat is pretty well out of the bag already

> While many in the Western world can't own firearms... law abiding citizens in the US can and many do.

just because you have to have a permit to have a gun in civilised countries doesn't make them illegal

also, this guy was "stupid" for not getting a gun himself, not like anything would prevent such an unhinged individual from getting one in the US

4
10

Registry to ban Cyrillic .eu addresses even if you've paid for them

Tomato42
Silver badge

I'd say you should have a mirror running on "traditional", Latin-only, name anyway, if only to allow people from outside your little country to actually be able to visit (including expats that don't have access to PC with the correct input method installed)

5
7
Tomato42
Silver badge

Re: Here's a thought...

> a url with two different scripts

that doesn't work, аррӏе.com is fully in Cyrillic, apple.com is in Latin script

the whole idea with IDNs is back-asswards, everybody needs to learn Latin script anyway, for languages that use diacritics, loosing them is not a huge problem (and I speak two of them)

for countries that don't use it, it's still actually used in them (like on road signs) because it is so popular and universal

not to mention languages like Chinese dialects, Japanese and Korean, where you write in Latin script that is then transformed to traditional characters

it's a cash grab by registrars, plain and simple

2
5

German researchers defeat printers' doc-tracking dots

Tomato42
Silver badge

Re: Did it really sink Reality Winner?

The dots in question are yellow, just use b&w printer, go to some public xerox place to then duplicate them again on a b&w machine, if you are really paranoid.

7
2

At last! Apple admits its MacBook Pro butterfly keyboards utterly suck, offers free replacements

Tomato42
Silver badge

Re: Er, this Doesn't Really Fix the Problem...

@Dan 55 let's just say, I have a very small violin, you could maybe even call it "world's tiniest"...

seriously though, hubris getting punished only causes me schadenfreude, and apple has plenty of hubris

9
0

It's time for TLS 1.0 and 1.1 to die (die, die)

Tomato42
Silver badge

SHA-1

Primary reason to abandon TLS 1.0 and TLS 1.1 is SHA-1: both signatures made by server and the handshake transcript integrity depends on SHA-1.

The SHA-1 HMAC in the TLS 1.0 era ciphers is still secure so they can be used with TLS 1.2, where they'll use SHA-256 for handshake transcript integrity (and a negotiated hash for server signatures).

0
0

Intel chip flaw: Math unit may spill crypto secrets from apps to malware

Tomato42
Silver badge

Re: Homomorphic encryption only option

homomorphic encryption still needs to be implemented in a way that hides the information about the secret addition to the already encrypted data – that's a place for bugs.

it's not a panacea

2
0

First A380 flown in anger to be broken up for parts

Tomato42
Silver badge

second hand parts are problematic if their provenance and usage amount is unknown; no such thing in aviation

9
1

NASA makes the James Webb Telescope a looker with a heart of gold

Tomato42
Silver badge

> It's also a reminder of the project's cost, estimated to be about $8.8 billion by the US Government Accountability Office

I'm quite sure the amount of gold on it is so small that any astronomer that will be able to use it would pocket the cost of it himself or herself if it guaranteed 10% of time on the Webb.

8
0

Page:

Forums

Biting the hand that feeds IT © 1998–2018