Will this go in the compilations of Smeg-Ups that accompanied the TV show?
346 posts • joined 20 Sep 2011
quote: "The attacker is very good at covering their tracks and appears to be growing increasingly paranoid (or experienced) as time passes, gradually adding more security features into his tools and websites," Sophos reported.
Sorry Sophos, but why is it "his tools"? Why could it not be "her tools"? Or "their tools" to be more gender-neutral?
depends on the time between step 1 & 2. if the cracks propagated quickly then it may not have been an option. however SOP for visible cracking normally is descend to 10k ft
Re: Last time this happened...
Nope. The technician doing the job walked into stores, eyeballed the different screws available and found what he thought was the correct type, ignoring the recommendation of the stores officer as to what the correct type was
He got the right diameter and thread pitch but just a little too short to fully engage in the socket
(at least that's my recollection of the NatGeo Aircrash Investigation episode)
I would dispute the "all of them" statement. I've been satisfied with my occasional interactions with Zen cust svcs, although I wish they were open longer hours.
Re: Safe for personnel?
When I worked in a facility that had a gas discharge fire system (FM200 from memory) we were told to get out of the room ASAP when the alarm went off as being in there when the discharge went off would likely blow out your ear drums and possible cause other problems also. Even people near the room weren't safe as for some reason they put windows in one of the exterior walls to a corridor so they could show off the contents of the DC. The glass wouldn't survive the discharge
So hang on, they say "Standard and well-established practice on initial disclosure is to work with industry participants to develop solutions and deploy fixes ahead of publication.".
Notice the word "all" missing. They were very selective with their notifications, with some OS vendors finding out around the same time El Reg did, while Mickeysoft and Linux had months of notice.
"In this case, news of the exploit was reported ahead of the industry coalition's intended public disclosure date at which point Intel immediately engaged the US government and others."
Right. Because giving people 4 days to write extremely complex changes to their VM systems is TOTALLY FINE.
Responsible disclosure my posterior.
Re: I just do not understand
If you strip out the "extraordinary event" last year (the GlobalFoundaries write-down), the income was $255m profit for FY2016. Compare that to an income of $179m for FY2017. If Ryzen/Epyc/etc are selling like hot cakes then it would be reasonable to expect better profit margins. I suspect the street were also looking for better news for FY2018. The article here doesn't contain anything about any forecast, which is likely also what dinged the price.
I suspect Intel's stock price went up because they announce that they will have meltdown+spectre silicon ready later this year, and analysts expect all the cloud providers to refresh their servers to get rid of the problems. Remember that Dilbert cartoon where the PHB promised a bonus for every bug fixed? Intel just coded themselves a Ferrari - they instantly made all existing silicon undesirable. Customers can't put off buying new kit so Intel will keep churning out buggy silicon to customers and banking the profit, but the customers could want new silicon ahead of their normal refresh periods to get rid of the bugs, so Intel scores a MASSIVE win. All it has to do is make sure the legal costs are less than the bonus.
If I get on board a passenger aircraft and see a rubber duck in the cockpit, I'm getting off again....
Re: Notes wasn't a bad idea.
I suspect the Notes Applications is the one reason Notes still exists. Companies built their business processes around Notes Apps and it's too expensive to move off so they're stuck on the platform. It was certainly one of the big blockers to migrations off Notes in the companies I dealt with.
Dumb bug of the week: Outlook staples your encrypted emails to, er, plaintext copies when sending messages
Re: By design?
Is this the new FBI version of security?
Re: Waste, fraud and abuse
You know why? No politician wants to commit career suicide by voting to de-fund an agency that could prevent a terrorist attack, because if an attack happens then fingers will be pointed at the lack of funding.
It's the same reason that after every attack legislation is almost always passed to try and prevent another attack. Not because another attack is likely using the same method (apart from the truck attacks which appear to be the new favourite), but because they have to be seen to do SOMETHING. Even if it's completely ineffective, such as most of the security theatre put in place after September 11. Or the backscatter body perv scanners that were installed after the underwear bomber, that have been proved to let stuff past if you make it look like part of your body (e.g. fake belly).
Can't get congress to act on reports they can't see
One Congress-critter (can't remember whom) commented that one of the reasons that it's so difficult to get Congress to effectively review surveillance legislation is that the committees that review the secret reports cannot tell other members of Congress their contents, even in a general manner. They cannot take anything in to those briefings (so no notes or recordings), and there are never any nice handouts they can share afterwards.
So all those closed-door committee briefings? Completely worthless. The committee cannot report on what they were told, so the other people in Congress that get to vote on the legislation don't know about any transgressions (unless a whistleblower comes forward, and we all know how that ends), and therefore cannot do anything more than rubber stamp whatever the spy agencies want
I doubt any country is any better to be honest.
Soldiers unaware of the Faraday cage
"In the same year, three Sri Lankan soldiers were electrocuted after a squirrel caused a fire that broke power lines – causing them to fall on the soldiers' vehicle."
From what I understand, the soldiers who died got out of the vehicle, and were therefore electrocuted. The other soldiers in the same vehicle who stayed inside survived.
Re: Or a shovel through a fibre/wire bundle
My favourite RFO* from a telco was that they found shotgun pellets embedded in the fibre. Someone had been taking pot shots at some fauna and had taken out the fibre instead. I guess it must have been hung from telephone poles, but can't remember to be honest
Yes, this was in the land where the 2nd amendment is used to justify way too much
* RFO = Reason For Outage
Re: Commercial Aircraft Locations
@ The Man Who Fell To Earth
Hopefully accurate telemetry. I watched a 767 land at GLA airport a few years ago on a online plane tracker. Something in the ADS-B data path for the plane drifted as it held east of Glasgow while the runway was cleared of snow. Each loop around the hold patten the plane "drifted" a few miles north. In the end, when the landed at GLA the tracker showed in landing in the Trossachs! Probably badly calibrated inertial guidance system feeding the transponder. Since they landed safely, the cockpit crew must have been using a different navigation source, maybe relying on beacons instead of inertial navigation.
However, I agree. The Inmarsat data would have been much more useful had it included the ADS-B transponder data in a way that the cockpit could not disable. Doesn't have to be every few seconds like ADS-B, but every 15 minutes would suffice to narrow down the search area.
Assuming that the theoretical flight path from primary RADAR sources (after the transponder and ACARS systems were disabled) is correct, it is highly unlikely to have been an equipment malfunction. Equipment malfunctions generally don't route around populated areas and RADAR systems. If the plane was being controlled by someone, then routing around populated areas to crash land makes sense, but they never descended. If you lost radio comms, there are protocols in place for that (circle one way to say lost transmission, circle the other way to say lost both receive & transmit)
Autopilot could have flown the route, but only after someone told it to.
What's worse is that even if they find the wreckage they may still NOT figure out what happened. Even if the CVR & FDR survived, the CVR only records the last 30 minutes of cockpit noises. It was never designed for this scenario where something happened hours earlier. There is also no guarantee that the CVR and FDR weren't disabled also, there is (or was) a breaker in the cockpit that could be used to disable them. Not sure about the 777.
Sorry to ruin everyones joke comments by asking a question, but what changes to European flight numbering? Are the going to 4 digit numbers across the board or something?
The last I heard (which was admittedly a few years ago) was that NASA had set up a test bed which simulated pilots in an ATC zone and all the ATC comms associated with that (lots of people running FSX in a lab with 2 way headsets, and an ATC with some kind of virtual radar view of all the planes)
The one point of ATC instructions over data comms is that pilots lose situational awareness. By having all instructions broadcast, there is a second level of error checking going on because if ATC tells a plane to fly an altitude, a plane already at that altitude can hear the instruction and relay any concern about a possible conflict.
With data based ATC comms that was lost
Probably more of an issue for approach/departure controllers around an airport rather than at high altitude, but it is still a concern
Re: Am I missing something here?
Repeating back "Turning to 270" doesn't mean that the pilot has done it, but it does mean that the pilot has heard the instruction and at some level understood it. Hitting "OK" on the flight computer doesn't indicate understanding or even that the message was seen
Or they could use the keyboard to do text selection
shift + left or shift+right selects text one character at a time
command + left or command+right selects from the cursor to the start or end of the line
option + left or option + right selects the word to the left or right
Re: will do methinks for a new Mac Pro
you can never have enough cores!
Quote: "while teasing developers with goodies like posted interrupts, working TSX,"
Surely that should be
"while teasing developers with goodies like posted interrupts, allegedly working TSX,"
Pretty much every Intel chip product of the last decade (and probably longer) has had multiple errata, I suspect most of them found after release. I think claiming TSX is working is a bit premature until it's seen in the wild for a while.
I'm curious, what telecoms companies rely on GPS for any timekeeping? Muxes and the like (at least the ones I saw) had no external clock/timing source, and POTS exchanges (even digital ones) have been around long enough to pre-date such clock sources so I can't see them relying on that either (I've seen a few 5ESS systems in the USA, didn't go into the details of the different inputs)
Mobile phone companies maybe?
Quote: "It's supposed to help employees who are bad at remembering complex passwords"
It will do, until they lose their phone, or the system breaks and goes into some failsafe mode that needs the password, and they then need to remember their long and complex password, which they haven't used at all so they have no hope of remembering it
Wait until the system breaks for everyone at the same time and then watch the helpdesk melt.
secunia PSI warns you (and also scans once a week by default) about out of date software. So I'm puzzled by people who have PSI installed and don't keep up-to-date. They clearly had/have an interest in patching their systems, else why install PSI in the first place? Maybe the Windows habit of hiding tray icons by default contributes to delinquency?
all ee domains seem to be 1 yr renewals
orange.co.uk, t-mobile.co.uk, ee.co.uk, etc, all expire in 2016. guess they're short of money.
Re: When HDR becomes prevalent ...
Maybe Sky will also quit using 50i outputs and give decent data rates for their encoding so the picture doesn't look so crap
Who am I kidding. Never happen.
anyone know how this is "hard coded"? Would blocking it on the DNS server work?
Re: Oh dear. Same old tricks still working.
CIO is probably not the problem. The CIO on their own is likely not sufficient to enact change as they still need to rely on budget approvals from other people. The CEO and the entire board of directors (including the chairman) need to be liable. Only then will START to change.
I am starting to think that people that say antivirus/antimalware/IDS and IPS are the wrong solution are correct. Antivirus/antimailware only work once the signature of an attack is known. Most IDS and IPS are set up the same way, look for known attack traffic and then respond.
No, you need to set up your systems to allow known legitimate traffic/files/applications and block everything else (i.e. whitelist good stuff, not blacklist known bad stuff). Only then will security start becoming effective.
Recently read somewhere else a story about the Network Rail plan to switch the East Coast Main Line (between Kings Cross and Edinburgh) over to ERTMS, at least in the southern part of the route, due to European compatibility regulations
They specifically call out 2G based GSM-R as a problem. What's the bet that the Germans upgrade to 4G based radios and the UK subsequently installs a 2G based solution because we're idiots?
"Apparently you need to have BT Internet service to take their TV!"
Not exactly a surprise. They can properly manage delivery of the service over their network (anything not picked up off Freeview is sent over IP). QoS and other stuff which allow you to prioritise delivery stops the second a packet leaves your network. Plus paying other broadband customers to deliver your TV service probably isn't in their model.
I have a sky box and it's plugged in to my home network, but I only let it through the firewall when I want to download a program. I don't want the damned thing sending/receiving data when I'm trying to do other stuff on my crappy bandwidth (the service itself is excellent, for a 10 year old tech, i.e. ADSL2+. pity NeverReach don't want to extend FTTC or FTTP to my street, and I'm not holding my breath for G.Fast to appear any time soon)
Re: It is NOT fibre ...
I know of a company which laid high speed Internet cables through some of the poorest areas of a given city just to pump up the "homes passed" figures. The people couldn't afford the basic service, let alone all the other stuff they were selling. It was mostly a waste of money, but it appeared good to investors.
The metric needs to be retired and replaced with something more meaningful which indicates the ability of the residents in the premises passed by a cable to actually afford one or more of the services provided.
Re: Missed one mystery
To a degree it probably depends on the controller driving the chips. It looks like it could be more like RAM, but initial implementations may present it as a block device to aid adoption before trying to create new places in the storage stack for it.
If that's true, then they don't appear to have much slack in the system. It should surely be able to process more than another 150k transactions per window without melting?
Re: Oh yes it is
I've yet to meet a piece of software that has no bugs. You can put in DR and backup systems to your hearts content, but a single line of code can bring the entire lot crashing down around your head.
1) free (basic, i.e. not the EV ones that give the green flag on the address bar) are already available and honestly not that complicated to get (installation can still be a pain)
2) so far no-one seems to have solved the underlying trust issue (i.e. can we trust that the CA issued that cert to the entity you think you're connecting to), other than relying on dnssec, which isn't widespread enough yet to make a noticeable difference (RFC 6698). Even DANE is not without potential issues, since it can be used to make phishing sites look legitimate ( see https://www.imperialviolet.org/2011/06/16/dnssecchrome.html )
Re: Very cool
Unless my calculations are out:
743,000 x 4k read ops/sec = 2,972,000 kb/sec = a shave under 3GBytes/sec
160,000 x 4k write ops/sec = 640,000 kb/sec = 625 MBytes/sec write
Without pondering PCIe bus saturation problems (only using 4 lanes of PCIe so there should still be capacity, in theory) I've definitely seen applications that could chew through those throughputs, or make a pretty sizeable dent in them anyway. Netflix Open Connect comes to mind as one of the more obvious applications.
Plus, it's not just the IOPS you need to consider. It's the latency. Even if you can't hit the IOPS, if you reduce the latency of your application 5x or more, the cost could be justified in various situations where the read or write of that piece of data is a blocking action for something else, e.g. a database. If you have to hit the DB 20x to do one action, you just sped that action up tremendously.
Not entirely sure OpenReach as part of BT is the problem
There is little incentive to lay competing cable to reach consumers in the UK. The logical choice would be cable companies, but despite a large number of cable companies springing up in the UK during my lifetime, Sky drove most of them out of business, and the few that remained went to Virgin Media which hasn't really done much to invest in reaching more homes.
A large factor in that is the cost of laying cables, because that involves digging up streets to put in new ducting.
Perhaps separating ducting from the rest of the infrastructure would help so companies can rent/buy duct access to run their own cable if they wanted to, thereby providing true competition for the last mile instead of just letting OpenReach dictate what the UK should be offered.
So the real reason is revealed. The NSA lobbied the FCC to make sure that the companies that they scrape their data from are able to get the data to their warehouses from the consumers.
“Sophisticated terrorists could even steer planes into one another”
Really? Guess the Senator has never heard of TCAS then. You could probably try to get Cessna 152 and 172s to collide (no more than 4 people on board each plane), however they go slow enough that VFR visual scanning would normally catch the collision. Every scheduled passenger flight has TCAS by FAA mandate (and CAA in the UK, etc) which prevents that exact situation from happening.
You'd stand a better chance of CFIT (Controlled Flight Into Terrain) because there ARE some weaknesses in the prevention systems there, but you'd have to be in IFR conditions with no visibility and find a suitably steep mountain that wouldn't trigger the "Too low, terrain" warning until it's too late, at least until the GPS based terrain warning systems are available and generally used.
It is definitely LHR. You can see the T5 toast-rack configuration at the left and the T4 oddity at the bottom right. Must be an old pic because the new toast-rack for T2 is missing. I think the pic pre-dates T5C coming online actually.
Re: Who's laws would they be breaking?
As far as I am aware, there is already legal precedence for the wiretap laws to be used for Internet traffic, and it doesn't have to be for SSL traffic, *all* IP traffic counts.
The trouble comes from the license agreement. As far as I understand it, enterprises can put fake SSL signing certs onto their computers so that they can intercept SSL connections at their IDS/IPS/filtering gateways so they can make sure that no malicious traffic is found because you likely agreed to it as part of the conditions of employment.
If Lenovo put that in the license agreement (that no-one ever reads) then they *may* have a get out of jail free card.
Re: How did that actually work then?
In theory direct debits should be secure as the signature on the authorisation form should be compared to what is on record at the bank. In practice I suspect that was never done.
Also, as far as I know there are now 100% electronic direct debit instructions, so in theory yes, a DD could be made just on sort code, account number and the name of the account holder.
SSD manufacturers warn that FW upgrades MAY lose data, but only occasionally do they say a particular upgrade WILL lose data, and they tend to put big warnings around that.
I suspect the "MAY" comes from the fact it's difficult to prove a negative. You can't prove all SSDs in all systems will upgrade correctly without data loss, so the CYA option is to put the "we may wipe your drive" line in there.
Re: Think people
I'd be curious why RAID with SSD is "really hard"? I've seen people claim that identical SSDs in RAID are a bad idea as they tend to fail (i.e. write lifetime expire) around the same time, but beyond that I'm not sure what you mean.
Also ZFS works with SSDs as a L2ARC or ZIL without a SAN and while it'll never fit on a laptop in that configuration, it'll work quite happily in a desktop without a big SAN.
Re: Missing data?
@Voland's right hand
Where does the dealer get the data from? It would have to be stored in the car. So the missing data source is still missing,unless I'm being dumb (always a possibility)
Quote: "On the privacy side, all of the 2014 models put out by car makers that responded to the survey collect some form of information from their customers, with 25 per cent storing it on the car and half transmitting it back to corporate servers, where it is kept for up to ten years in one case."
So if I am reading it correctly, all the 2014 models collect data, but 75% or less store it on the car and/or transmit it back to corporate servers. What do the rest do?
Why was some of this not in other databases?
"37,000 European Arrest Warrants and 60,000 missing children and vulnerable adults" - shouldn't that be in a police database that we already have access to?
Likewise the identity document alert we should have had access to when it's checked with the country of issue (which I hope we do for all the time people stand waiting at the border for the border computer to process the document). if not, wtf are we waiting for?
"Here is what we are doing, you will support it"
I like the bit at the end of the article that implies the BBC thinks that it is up to device manufacturers to support the way they are delivering content, rather than the BBC selecting already widely supported formats and distribution mechanisms.