Posts by Ken Hagan

Re: Surely

"That's just a shortened form of the word "nobility" though, isn't it?"

Well, yes, but you could equally well observe that "knob" is just the appropriate word for something that sticks out so that you can fiddle about with it to make stuff happen.

Re: A Kludge

"Hyperthreading always was a kludge to desperately keep overlong pipelines full."

I don't think that's fair. It keeps an OoO processor core busier than it would otherwise be if it could only take instructions from one thread of execution. You lose if the second stream of instructions blows your caches (so your workload is memory-bandwidth-limited) and you win if it doesn't (so your workload is computation-limited). It presumably takes fewer transistors than a second core but makes fault handling more gnarly.

End-users have always been able to switch it off in the BIOS, so OpenBSD are merely making it easy to do that after you've booted the OS. Obviously I don't know whether this is inspired by advance warning of another Spectre-like bug, but it seems more likely to me that they just thought it would be prudent in the current climate to have a switch already in place for their users. As the article points out, it is quite believable that being able to share a core with your victim makes a timing attack easier.

Re: A rewrite is long overdue...

You may welcome a re-write of office using "modern" techniques, whatever those might be, but unless they accurately reproduce all the behaviours of the old software (which, as you point out, can't even be described by MS, let alone anyone else) it won't be fully backwards compatible.

If your re-write isn't compatible, it has to be sufficiently better than the various free offerings before anyone will be willing to pay for it. So ... how much would it cost to re-write Office from scratch, how many copies would you expect to sell and at what cost, given that LibreOffice already exists, largely does what it says on the tin, and is free? I can't see the business case myself. To be honest, I can't even see a business case for fixing bugs in the current version of Office, since every bug fix runs the risk of breaking someone's document and making them jump ship to LO.

It's not a good time to be Microsoft.

Updated: Apropos of nothing, I had an interesting experience the other day. We created a new WORD document, from scratch, in WORD itself, with nothing more than a few paragraphs and some embedded PNGs. It print previewed fine, but printing either to a real printer or to a PDF garbled the images. We eventually got it to print properly by importing into LibreOffice. Just to emphasise how ridiculous this was, we weren't asking for "backwards compatibility" with anything other than the version of WORD that we had used not 5 minutes earlier to create the blasted document in the first place.

Re: Computerised medical devices need TWO computers

"There's an additional problem if that computer fails and the approved S/W is unable to run on current H/W. There's a periodic need to update the S/W to keep up with what's available in the market place."

That one is easy. You insist that the vendor either maintains it for the period specified in the contract or publishes sufficient information for you to do so. Failure to do either results in paying back x% of the purchase price, where x% is the percentage of the advertised product lifetime that turned out to be untrue.

"If hospitals don't buy their equipment (from an industry where all the players operate very similar licence terms) people might die"

Whereas if hospitals *do* buy their equipment from vendors that are running a file sharing protocol that was superseded on security grounds over a decade ago, then people might die.

Re: obvious solution ...

"You don't have to go that far. Just provide a link that is one-way image data only."

This is a sufficiently common situation that I'd be astonished if someone couldn't come up with a generic solution. Even putting something like a raspberry pi in between the unpatchable equipment and the hospital network would let the IT admins isolate the risk and patch the sole point of contact.

Re: obvious solution ...

"I don't see why the MRI machine needs to networked."

I don't see why it is allowed to be. In security terms, if the hospital isn't in control of it, then it is no safer than a laptop belonging to a random member of the general public. (The system owner may be innocent in both cases, but because of the lax patch regime, you don't really know *who* is controlling the machine.)

Re: MS Logic

"The auto-update broke my driver and gave me BSOD!"

If that can be triggered remotely, it's a denial-of-service attack. For example, a BSOD in the driver for a network card or storage driver would fit the bill if it was triggered by particular patterns of data (that an attacker could easily provide from the outside).

Given the scope for additional corruption of the system, unknown in both extent and location, if you can BSOD a box, it is probably quite a serious security bug.

Re: Lloyds

https://en.wikipedia.org/wiki/IBM_308X

A 1980 IBM mainframe. Ran at several MIPS. Main memory several dozen megabytes if you completely maxed out. Consumed several dozen kilowatts. Cost: I don't know. Could you buy one or was it some kind of rental model?

Compare to the original IBM PC (1981). Ran at several dozen KIPS (yes the clock speed was 4Mhz but instructions took a dozen or so cycles to run and unless you were happy with 8-bit numbers you'd need quite a few instructions even to add a couple of numbers). Main memory several dozen kilobytes. Consumed several dozen watts. (Guessing there. Anyone know?) Cost: $1500.

If you weren't there, it's probably quite hard to get your head round how crap they were. And yet, you could do so much if you were careful about it.

"Clearly the writers assumed most viewers would never have seen Superman 3."

I haven't seen either film but the plot device you describe was familiar to me before I saw Superman (1). I think the writers were just lazy.

Re: Who in their right mind wants cloud based...

"The only reason I can see for this is the ISPs want more control over what flows to and from my home network."

If they want that, they already control the other end of the wire.

I'm with you all the way on the "Hell no, no way, fuck off." bit, but I'm struggling to see the attraction of this product. It doesn't relieve us of the need to update firmware on our router from time to time, because there will still be some device or other at the consumer end of the wire and that device is going to have something running on it and that means occasional bugs and the need for patches. It doesn't even save money, since the only part that is different from a normal router is the CPU and the price difference between some tiny micro-controller and a CPU beefy enough to run Linux is, well, close to zero and falling with every year.

Re: Most people think Chrome is the ONLY browser...

I tried mobile Firefox a few months ago but it crashed on startup, which IMHO makes it slightly worse than Chrome.

But cheap snarks aside ... What are people's suggestions for a decent mobile browser?

Re: EU not content

"Smartphones and PCs are totally different. How they are used, how they are serviced, their lifespan, their upgradability, their app model, everything essentially."

Perhaps they are, but they needn't be. They are both just computers running a UNIX-like operating system. The hardware in both ought to last for a decade or more and, these days at least, is probably powerful enough to still be useful at the end of that period unless you deliberately bloat your OS with a fresh waggon-load of badly written shit every year. Differences in physical size affect their use, but there's no reason why you couldn't plug a phone into a base-station and use a full-size keyboard and mouse. Nor is there any reason to tie one device to a walled garden and let the other run software from old-fashioned third parties.

Funnily enough, though, the big vendors prefer you to upgrade every few years and aren't above using update-starvation to force that issue. They also prefer you to buy two separate devices and synchronise everything by sharing it with their cloud storage. Finally, they would much prefer if you stopped speaking directly to those third-parties and instead used an app store where they get a cut for doing sweet fuck all.

But yeah, it's laughable how people don't understand this.

Re: Age means nothing

Most stuff is OK to transmit in the clear. For the really sensitive stuff, like backups, it should probably be stored in encrypted form and so transmitting in the clear is fine. For other stuff, if you are still bothered, a better option is probably to use IPsec and then stop worrying about whether your various higher level protocols have encryption built-in. Sadly, IPsec appears to be stuck in the same tar-pit as IPv6.

And whilst I'm thinking about this, if Ned Pyle really wants to see the end of SMB1 he should push for MS and people like CERT to issue official statements that any device that defaults to SMB1 is, their considered expert view, not safe to connect to a network in 2018 and therefore not fit for purpose. *That*, from them, would greatly assist anyone who wants to pick a fight with vendors on this point. They could go to their Trading Standards people and say "Expert opinion is on my side here.".

Depending on how pissed off you are, you might want to argue that the device is not fit for purpose. MS have spent about half a decade pleading with everyone to stop using it ASAP. There's no way this device is fit for purpose even now, let alone for however many years a consumer product is supposed to receive support. (Looks like 6 in the UK: https://www.which.co.uk/consumer-rights/advice/what-do-i-do-if-i-have-a-faulty-product)

Failing that, name the vendor here and we can all tell as many of our friends as possible to steer clear of the brand forever.

Re: Too little, too late for advertisers

"Why shouldn't El Reg get some advertising revenue?"

Because the ads they use to generate that revenue actually make the site too slow for my browser to load an article, so I can't actually read the content that is being paid for. At least, that was how bad things had become when I stopped white-listing them. And here's the rub -- I'm never going to switch the whitelist back on to see whether things have got better because, frankly, I have better things to do with my life than act as as unpaid parole officer.

"And surely they need to know which articles are most popular with various demographics?"

I don't see why. They may need to know which articles are most popular, but their web server's logs will tell them that. Breaking it down further means identifying and tracking people on this site and then correlating that with spying done on other web-sites to determine the overall demographic. Advertising managed for a century or more without actually having *that* level of detail, so I don't think this is really necessary either.

And anyway, unless the advertisers control the PC I'm using to browse, they only get the demographic information that I choose to share, so their much-vaunted analysis is basically dividing the population into "can use an ad-blocker" and "can't use an ad-blocker".

Re: Short-lived but well-received

"I think we just have to accept that journalism is following music down the road to being an almost entirely amateur activity."

This, in spades. Applies to basically all forms of publishing. (YouTube's amateur content matches most of the output of "proper" TV stations. Academic publishers are facing a revolt from their own content providers in many fields. Even the porn appears to be free.)

Yes, you lose the editorial quality control and that does mean you get an awful lot of dross (and in the case of porn, probably a fair proportion that is criminal evidence), but if we can find new ways of sorting or searching by (our personal measures of) quality then this won't matter (except for the criminal bit -- I think we ought to be worried about that).

You may also lose the possibility of investigative journalism, which would suit the rich and powerful, but the internet appears to be offering a replacement in the form of millions of individuals who are willing to publish and be damned. It is not clear to me that we'll actually be worse off -- just different.

Re: Gimme speed

"Gimme a 10GHz CPU."

CPU frequencies have hardly moved in over ten years. The wavelength of light at 10GHz is smaller than the die size of aforesaid CPUs. It is quite plausible that you will not live long enough to see a 10GHz part in normal commercial channels. (And no, I have no idea how old you are.)

Re: Gimme speed

^ Richard 12

I'd argue that assembler is the out-dated concept, not just the hand-coded variety. Modern processors don't really execute instructions anymore, they simply move data from place to place and sometimes the data is changed en route. The limiting factor on speed is nearly always how long it takes to shuffle the required data through the required list of places it has to visit, and making sure that when two pieces of data have to meet up in a place, that they do so at the same time.

Assembly language isn't a particularly good way of expressing the requirements, but out-of-order processing allows the hardware to converts a sequence of instructions into a data-flow, on-the-fly. So we end up with people writing lists of instructions in a high-level language, which the compiler tries to turn into a data-flow but then has to write out as another sequence of (assembly) instructions, which the CPU tries to turn back into a data-flow for the most efficient execution.

Maybe one day we'll figure out how to express non-embarrassingly-parallel algorithms directly. I'm not holding my breath, though. The academics have been looking for such languages for all of my life and no-one has found one. (I think the commercial incentives are now such that any successful solution to this problem would go mainstream within 2-3 years.)

Re: PWC

"wouldn't they be better focused on [...]"

I think it is pretty clear from this that they are a bunch of innumerate twonks, so no. Really. It would *not* be better for them to focus on any activity that requires counting.