* Posts by Ken Hagan

6058 posts • joined 14 Jun 2007

America restarts dodgy spying program – just as classified surveillance abuse memo emerges

Ken Hagan
Gold badge

Dear America

For your next president, choose a person who is honest, passably intelligent, willing to listen to advice, familiar with your Constitution, and fully persuaded of the need to uphold it.

You have got one of those, haven't you?

If they possess the aforementioned qualities, their political leanings don't actually matter.

15
2

Is the writing on the wall for on-premises IT? This survey seems to say so

Ken Hagan
Gold badge

Re: LOL

It would appear that "keeping the business running" wasn't one of the tick boxes on offer. One wonders who they actually interviewed for this survey, or what "enterprises" they "worked" for.

20
0

Have three WINEs this weekend, because WINE 3.0 has landed

Ken Hagan
Gold badge

Re: Cautionary tale

"You do realise that the PC and the OS are the least valuable bits of a computer and the user's data is worth a fortune in comparison?"

You do also realise that, once the PC and OS have been compromised, the only safe repair process is a low-level wipe with independently-sourced installation media. Most end-users are not aware of that, have neither the media nor the know-how to do it even if they knew they ought to, and probably couldn't find someone who could. (You can't, for example, trust whatever's on that hidden partition on the hard drive and what's the betting that if you take it into a High Street shop that's all that they'll bother to do, or perhaps even all that they'll know how to do?)

12
0

Sueball smacks AMD over processor chip security flaw silence

Ken Hagan
Gold badge

You stopped this line of reasoning too soon. The defendants are essentially arguing that the damage to the wider public (caused by early disclosure) is less important than letting them sell shares early. This has two flaws. The first is that had the disclosure been made, the share price would have fallen, almost certainly before *they* personally had time to sell. The second is that by recklessly causing a zero-day disclosure, *they* would presumably be the target of other people's litigation.

It is really hard to see how the world would be a better place for these people if they win.

38
0

Flying on its own, Thunderbird seeks input on new look

Ken Hagan
Gold badge

Re: To be honest

"It will supposedly be based on this theme, "

Sigh. Themes are evil. All themes.

Time was that people who actually researched usability for a living discovered the "amazing" fact that sticking to the same theme as every other app actually made your one more usable, because human beings only had to learn once how everything worked. But that was learned ages ago, so it probably isn't true anymore, or something.

80
1
Ken Hagan
Gold badge
Windows

Stagnant is good, dead is better

These "labels" just mean we've got our priorities straight and we're not finding truckloads of bugs every few months to justify major changes. As a software developer who values "working", I'd be proud to stick either label on my work. I suspect that Thunderbird's target audience is already dominated by folks who feel the same way.

I'm sure the "form over content" brigade can find another email client.

35
1

Hawaiian fake nukes alert caused by fat-fingered fumble of garbage GUI

Ken Hagan
Gold badge

Re: Confirmation checkbox needed

"Maybe better: ..."

Er, whoosh, I think.

0
0

Junk food meets junk money: KFC starts selling Bitcoin Bucket

Ken Hagan
Gold badge

"It would have been more profitable to have just given them away."

How do we know they didn't? Can one party prove that BC were transferred between two others that don't co-operate with the first? And would *you* trust someone who buys KFC? with Bitcoin?

1
0

France may protect citizens' liberté with ban on foreigners buying local big data firms

Ken Hagan
Gold badge

Oo yes, because that worked so well last time

When I was little, there used to be a French computer company. It got all sorts of protection from its friendly government. If this sort of policy works, it ought to be a major player now but ... I can't even remember the name.

1
1

Microsoft wants to patent mind control

Ken Hagan
Gold badge

"I filed for it some 40+ years ago and got it and its universal."

I think there are quite a number of neuroscientists who would be *very* interested to read that patent.

Also, if you ever need a million or so, you could tip off the Nobel committee. I doubt there would be any serious challengers.

0
0
Ken Hagan
Gold badge
Flame

Re: Blindingly Obvious Patent

This again?

The US Patent Office is not supposed to test for novelty or anything else. US law says that you get a patent for filling in the form. The idea is that it is only worth something if it later stands up to challenge in court. Sadly, that last bit doesn't really work, not least because every other PO on the planet is apparently stupid enough to treat a US patent *as though it had already been tested and found valid*.

The system has been like this for 20 years and apparently every legislator on the planet outside the US is too fucking stupid to realise that the US no longer checks patents at the time of issue.

6
0

Third NAND dimension makes quad bit bucket cells feasible

Ken Hagan
Gold badge

"We can't call it quintuple level cell because QLC is already used for quad-level cell flash. "

You'll hit that with 6 and 7, too. Might I make a suggestion? Writing 2LC, 3LC, 4LC, 5LC ... works fine for the forseeable future. Start using it in articles now and hope that it catches on with other authors before the quad-quin ambiguity becomes a real problem.

5
0

Remember those holy tech wars we used to have? Heh, good times

Ken Hagan
Gold badge

Re: Bigendian vs. Littleendian

Umm, no. TIFF merely guaranteed that you would have to write byte-swapping code, whether it was ever used or not.

2
0
Ken Hagan
Gold badge

Re: "something that isn't backed by anything of value can have value?"

Sigh. Money is backed by the government that issues it, using however much of the resources of the country that they can realistically drawn upon. That may not be as much as the money in circulation, but it is infinitely more than some anonymous guy's say-so.

3
0

Next; tech; meltdown..? Mandatory; semicolons; in; JavaScript; mulled;

Ken Hagan
Gold badge

Re: Anyone seen a single line C program ?

This must have been a *long* time ago. UNIX has had "indent" for about 40 years and Visual Thing has had something close enough for over 20.

0
0
Ken Hagan
Gold badge

Re: Tabs v spaces

If a mix is used, the whole file is declared syntactically invalid. Problem solved.

A computer should never guess what the programmer meant. Tolerance has its place, and that place is end-user input. Programmers should just get it right and they should have the input thrown back at them repeatedly until they do that.

Funnily enough, this is also the answer to JavaScript's semi-colon question.

13
1

Intel’s Meltdown fix freaked out some Broadwells, Haswells

Ken Hagan
Gold badge

" AMD on Thursday confirmed that it’s kit is vulnerable to Spectre."

Is this news? You make it sound like a belated admission but the announcements last week made it perfectly clear that they'd failed to demonstrate Meltdown on AMD but managed Spectre.

20
0

Wondering where your JavaScript libs went? Spam-detection snafu exiled npm packages

Ken Hagan
Gold badge

Re: Foot gun fully operational

"The stupid all runs together for we old guys."

You are too kind, and not especially old. I'm trying to teach my kids about revision control before they get too deep into their own projects.

https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration

These guys are on level 1 : not even repeatable from one day to the next because they don't actually control their own code.

7
0

Uncle Sam's treatment of Huawei is world-class hypocrisy – consumers will pay the price

Ken Hagan
Gold badge

Re: Spies, damn spies and corporations?

"COMMUNISTS!!!! Aaaarrrrggghhhh!"

Where? China hasn't been communist for a couple of decades now. It's a monarchy, although not yet one you could describe as "heriditary", unlike its north-eastern neighbour.

Of course, all "communist" countries tend to follow this model, but I do think it would be helpful if those of us who don't live in them (and therefore are free to speak) stop using the C-word and start calling them what they really are.

10
1
Ken Hagan
Gold badge

Re: Ken Thompson's lecture

Well, anything based on Android is almost certainly built using Google's toolchain, which only runs on x64. And we know how secure *that* is these days. :(

0
5

1 in 5 STEM bros whinge they can't catch a break in tech world they run

Ken Hagan
Gold badge

"I am in my position because I was the best applicant at the time. "

You *may* have been. However, all we can be certain of is that the person who employed you *thought* you were. We have no way of assessing "best" when matching something as vague as a person to something as vague as a job. We never will. HR is not a branch of engineering.

8
15
Ken Hagan
Gold badge

Re: Isn't it a small minority

"Applying positive gender correction to numbers, etc EARLY. VERY EARLY. The latest point where it can and should be applied is University."

You are on the back foot with that one from roughly age 10 onwards. By 14 or so (in the UK at least) children are closing doors on themselves academically with their subject choices. By the time you get to university, it is *way*, *way* too late to do anything about the fact that the applicants simply aren't there.

Other than that, I think I agree. I particularly like the "Alice" touch, though it will doubtless annoy the snowflakes described in the article.

(Edit: The term "snowflake" was coined by social conservatives as a term of abuse for those who in their view "couldn't stand the heat" of real life. Therefore, I think it is entirely reasonable to use it against those of that same group who, it seems, can't stand the heat when it is applied to themselves.)

33
7

Cryptocurrencies to end in tears, says investor wizard Warren Buffet

Ken Hagan
Gold badge

I'm not sure the "don't understand" bit is entirely fair. What he doesn't understand is why anyone could possibly think these currencies were worth anything. That's different from understanding how they work. (Possibly he doesn't understand that either, but at least that is because he doesn't *need* to, given his position on their intrinsic value.)

On the other hand, he probably knows a pyramid scheme when he sees one.

55
1

Apple agrees to pay £136m in back idiot taxes to UK taxman

Ken Hagan
Gold badge

"Then explain Ireland?"

That's an example of a wider phenomenon whereby tax dodgers can break any *individual* law for a few years until the authorities catch up, whereupon they come to a "settlement" about previous years' mis-behaviour and have to find a new dodge in future. Since the authorities are always a few years behind the dodgers, the long-term effect is a rolling window of opportunity for the most "innovative" accountants.

2
0
Ken Hagan
Gold badge

"In my opinion, corporation tax should be abolished, you can just set VAT and payroll taxes to fair tax rates and be done with it, and everyone pays the same percent of turnover. That's not possible to fudge."

Until you find a company that pays staff almost nothing but which conveniently provides huge pensions and all-expenses-paid staff accomodation. You can fudge anything and those earning the most will always be able to spend more time/cash on fudging.

I will accept, however, that my example would be pretty blatant. In fact, almost any simplification of the tax code will make it (slightly) harder to fudge things. You could, for example, scrap several thousand "tax breaks" that have been introduced at a rate of several per year (because they are eye-catching and politicians like that) since the dawn of time. This would hurt almost no-one except the accountants.

1
0

'Repeal hate crime laws for free speech' petition passes 14k signatures

Ken Hagan
Gold badge

Re: My view

"Just exercising my freedom of speech in the manner that you seem to support."

Indeed, and notice how little threat you pose to the community. By the way, you're wrong. I think you should be killed just in case you are tempted to say something unsafe again in future. It's the only way to be sure...

15
2

CPU bug patch saga: Antivirus tools caught with their hands in the Windows cookie jar

Ken Hagan
Gold badge

You have it the wrong way round. The kernel *was* previously visible to these tools (though undocumented) and so the AV folks reverse engineered enough to learn how to hack into it. Now it is no longer visible and the same hacks fall into a black hole and bring down the system.

20
0
Ken Hagan
Gold badge

Re: Useful

They are all "badly written", by design. This is just a heads up at the sort of shenanigans they have been getting up to all these years. AV tools are an invasion of your kernel internals by someone who doesn't know enough about your kernel and cannot respond to implementation changes in a timely fashion and if they get it wrong then your entire system is tanked and you might as well not own a PC.

17
1

How are the shares, Bry? Intel chief cops to CPU fix slowdowns

Ken Hagan
Gold badge

If there was some way to insert a random fuzz on the RDTSC instruction (which I imagine is the only timer with sufficient resolution to measure a cache miss) then that might work. Alternatively, is it possible to block access to RDTSC from user-space processes? If so, that might cut off one line of attack (though presumably still leave open the "attack VM host from guest kernel" vulnerability, which frankly ought to be scaring the cloud computing industry shitless.

1
0

With WPA3, Wi-Fi will be secure this time, really, wireless bods promise

Ken Hagan
Gold badge

Re: Will this require new hardware?

I don't know but...

The bit that is best hardware-accelerated is the encryption of payload data once you've authenticated and agreed a key with the other party. The bits that are most likely to be new in WPA3 are "everything else".

WPA2-with-fixes might offer a stepping stone but, as the OP said, good luck getting firmware updates for your existing Things (as in, internet-thereof). My guess would be that upgrading to WPA3 may be no harder than upgrading to WPA2-with-fixes.

7
0

Parliamentary 'puters made 30k tries to procure pr0nz last year

Ken Hagan
Gold badge

"but there are LOTS of so called genuine web media outlets which don't scrutinise the advertising space that they've resold"

Perhaps they should. Perhaps there should be a bit more reputational damage for sites that don't scrutinise what ends up in their advertising space. Perhaps then we'd see the ad-brokers given the damn good kicking they so richly deserve.

After all, if you can code up a Spectre attack in Javascript, ads are a pretty major security issue.

2
0

Your connection is not Brexit... we mean private: UK Tory party lets security cert expire

Ken Hagan
Gold badge

Re: blah blah who cares?

"convinces half of parliament that security is secondary"

I think most of us would be surprised and delighted to discover that many in Parliament who cared even that much. (To consider just one example: if you or any of your staff are surfing porn sites on a work computer, security is not even in your vocabulary.)

2
0

More stuff broken amid Microsoft's efforts to fix Meltdown/Spectre vulns

Ken Hagan
Gold badge

Re: Systems without an AV may need the reg key to be set manually

"Or the patch won't appear in Windows Update."

Or any other patch, from now on, perhaps? Presumably MS will rig the WU software so that it tells you that updates are not being provided and this is what you can do about it. Presumably...

2
0

Here come the lawyers! Intel slapped with three Meltdown bug lawsuits

Ken Hagan
Gold badge

Re: Should Intel (and other chip makers) be held responsible for hardware flaws?

"It's an interesting one, but I don't personally think that Intel should be held liable for this, as it's not an intentional bug."

I agree it is interesting, and I might even agree that Intel shouldn't be held liable, but if I did then I would have a different reason for doing so. The issue is not intent, but negligence. I don't think anyone close to the action is suggesting that Intel knew about this prior to mid-2017. It would be nice to think that our spooks knew about it before then, and distressing to imagine that the other side's spooks knew about it, but in neither case would we expect Intel to be informed. So the question is: is the flaw sufficiently obvious that we can call it negligence. Well ... given that it took just about everyone 20 years to work it out, I don't think we can call it obvious.

Oh, and I also agree that Intel's PR release was BS. I'd be happy to see them prosecuted for *that*. I'm also pretty unhappy about the timescale surrounding their CEO's share dealings.

11
0
Ken Hagan
Gold badge

Re: MINIX anyone ?

Is that why Intel used MINIX for their other 2017-security-related-disaster ?

3
0

Microsoft patches Windows to cool off Intel's Meltdown – wait, antivirus? Slow your roll

Ken Hagan
Gold badge

Re: Huge Baby Huge

"Are the Linux patches similar?"

To answer my own question, the only linux patch available for my Debian Stretch boxes right now is one for linux-image-amd64, so that's a big fat no. If there *are* plans to recompile all of user-space with Spectre mitigations, they aren't being put into effect yet.

5
1
Ken Hagan
Gold badge

Re: Huge Baby Huge

"Contrary to what Intel is bleating about it, it looks to be all Windows components being patched. And an enormous and rather terrifying number of them, all patched at once."

To be fair, *only* Intel are trying to pretend that this is a minor issue. Everyone else is talking about how unfixable Spectre is and how it can only be mitigated with counter-measures compiled into all software running on the system. Presumably, then, MS have simply run all of Windows through a version of the compiler that applies the mitigations. They've had 6 months to test such a compiler and they have a reproducible build system for all of Windows, so this isn't any more scary than a hobbyist rebuilding their own Linux system, which any competent software developer will tell you is not *very* scary.

11
0
Ken Hagan
Gold badge

Re: Huge Baby Huge

So that's pretty much an "out-of-band new version of Windows" coming down the wire, eh?

Well that's the internet fucked for a few days, then. Are the Linux patches similar?

3
0

Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years

Ken Hagan
Gold badge

"Also US-CERT has suddenly changed their advice and they don't want you to change your CPU now..."

Perhaps someone pointed out that it is pointless to suggest everyone buys a new CPU if the new ones are vulnerable in the same way.

Has anyone suggested a timescale for how long it will take to design, test and roll out production on a new CPU design that is immune? They ought to have started last June, so to a first approximation it is "the usual tick-tock period minus six months". I think that works out as a couple of years, making "a new CPU" pretty pointless until 2020.

20
0

Linux Mint 18.3: A breath of fresh air? Well, it's a step into the unGNOME

Ken Hagan
Gold badge

Re: I Always Find It Irritating...

"European Linux distros"

Assuming that a distro could meaningfully be described as belonging to a geographical region, I imagine that it would be constrained by the localisations of the individual software packages that it contains.

I'm as irritated as the next non-American by this tendency to use the spellings of a relatively minor (in numerical terms) dialect of English, but I don't think this a fair example.

1
0

Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs

Ken Hagan
Gold badge

Re: Puzzled

Thanks. Yes, I had missed the implications of the "speculative" bit, which is a little embarrassing. Since it is speculative, there is no actual page fault as far as the kernel (or host) is concerned.

Quite unpleasant really ...

4
0
Ken Hagan
Gold badge

Re: When do the lawsuits begin ? Class actions...

For anyone who pays for their time on a platform, "30% slower" equates pretty directly to a figure for damages. We won't necessarily see a class action though. Instead, we may find that cloud providers simply lower their charges for Intel-based VMs (to avoid being sued by their own customers) and then turn around to Intel and ask for a lump sum to cover it.

For anyone running a system on average at anything below 70% of its rated power, it would be harder to come up with (and defend in court) a particular figure for damages. Those cases would be messy, so I don't expect too many of the little guys will take Intel to court.

3
0
Ken Hagan
Gold badge

Re: Yeah sure.. AMD and ARM the sweet angels..! PLEASE!

"AMD statements are beyond silly."

Are they? We appear to have proof-of-concept demos that work on Intel. If those don't work on AMD then the onus is on you (or, more likely, Intel) to demonstrate that it can be done. New information is coming to light at quite a rate and such demos may already exist or may exist by the time you read this reply, but it is not obvious to me that all OoO processors are necessarily vulnerable or are vulnerable in ways that cannot be patched in software, so "beyond silly" seems rather harsh.

22
0
Ken Hagan
Gold badge

Re: Maybe we dodged a bullet?

@jmch: Yes, and for the avoidance of doubt let me say that your phrase "NSA-types" should be taken to include all the bad guys. We should not forget that whilst 99% of humanity does not look for ways to screw each other over, 99% of those who do are the kind of folks who won't share when they find a new way to do that.

18
0
Ken Hagan
Gold badge

Re: Colour me surprised ....

"First rule of secure communications, is to assume that your communications aren't secure."

It sounds nice, but if you take the position that your communications *are not* secure then logically there is no point in taking any steps to secure them.

What you actually have to do is assume that they *might not be* secure in ways that you don't yet know and you should attempt to mitigate against those by layering security elsewhere and (if you have the resources) supporting attempts (by yourself or others) to learn more about the things you don't yet know. This philosophy is much less memorable, but leads to concrete suggestions for action on your part, so it is more useful.

11
2
Ken Hagan
Gold badge

Re: Intel CEO

It was noted in another thread that executives have to give months of notice before trading their own shares, so this is probably innocent. On the other hand, the article indicates that the bug was reported last summer. I don't know how much notice is actually required, but it is possible that there are legitimate questions to answer.

However, whilst the impact of this bug is obvious to me, it may not be obvious to a CEO. If I went to *my* boss and said there is a flaw in almost every product we've produced in the last 20 years which is financially quantifiable (at least for cloud users, the impact of this bug *can* be measured in dollars) and is by design so we can be sued to pieces ... he might not believe me.

3
6
Ken Hagan
Gold badge

Puzzled

The description in the article would seem to allow a fairly simple fix in the OS.

When the original page fault occurs, control is passed from user-space (or guest space) to kernel space (or host space). The handler can determine whether the faulting address is outside user-space or not. In fact, it probably already has to do that in order to process the fault. If not, the fault is legitimate and will be related to (say) stack guard pages or virtual memory paging. We wouldn't want to penalise those, so we proceed as usual.

However, if it *is* outside user-space, I can't see any reason not to "punish" the application program (or guest kernel) by performing a full cache flush. This blocks the information disclosure. It is obviously quite costly, but as long as the bill is charged to the offending application (or guest, and in the case of cloud providers that will really mean *charged* so the provider is still happy) then it doesn't count as a DoS attack and no properly written application will ever have to pay the bill.

What have I missed?

1
0
Ken Hagan
Gold badge

Re: Lead time on new CPUs?

MS have previously said that they would not support Win7 on new Intel processors like Kaby Lake. Throwing away your old CPU may not be an option for some corporates.

8
0

And we return to Munich's migration back to Windows - it's going to cost what now?! €100m!

Ken Hagan
Gold badge

Re: 10 years to migrate 16000 PCs and they're going to go back to Windows ?

"But I'm guessing that's not the real problem. It's influence. There's obviously a strong pro-Windows faction in Munich and they've been real busy making a nuisance of themselves since the beginning of the migration."

Well as I pointed out last year when the story broke, they are claiming that they couldn't get email running on Linux, so there's clearly more than just "influence" and "nuisance" at work here. They must have a fully-fledged fifth column and if the truth were ever to come out it could probably result in criminal prosecutions.

I mean ... jeeez ... couldn't get *email* to work? On Linux? Did they even try?

49
1

Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign

Ken Hagan
Gold badge

Re: no news

21 hours after you posted that, I can report that it is on the front page of the BBC news website and at least one major UK newspaper. Yes, that surprises me, too, but perhaps it is just too good a *story* to pass over and, after all, even normal people use computers these days.

3
0

Forums

Biting the hand that feeds IT © 1998–2018