* Posts by Brian Miller

1103 posts • joined 3 Jul 2007

Page:

Holy crappuccino. There's a latte trouble brewing... Bio-boffins reckon 60%+ of coffee species may be doomed

Brian Miller Silver badge

Re: Umm... nope.

I roast coffee at home, and one of my suppliers regularly sends out cards with coffee-centric news. This isn't recent news. (And yes, my cuppa really is better than your cuppa.)

What is happening is a fungus is ravaging the coffee plantations, just like other fungi are killing bats, salamanders, banana plants, and all sorts of other things. The biologists suspect that the fungus has become prolific due to warming weather. (That, and monoculture.)

Can the domestic coffee plants be saved by the wild coffee plants? Same way that the domestic banana plants are saved by the wild varieties: they aren't. The domestic plants are replaced in agriculture by varieties that are resistant to the fungi.

Forget your deepest, darkest secrets, smart speakers will soon listen for sniffles and farts too

Brian Miller Silver badge

We are gratified by your delusions!

"I think it could definitely record what you're saying, but I don't think it's intelligent enough to remember."

Evidently this person never worked with something called "recording tape." Once upon a time, much to the chagrin of the Nixon administration, recorded audio was not stored in ephemeral RAM, but on much less ephemeral magnetic tape. The machine had absolutely no artificial intelligence to understand the sounds, yet the sounds persisted well into, and beyond, judicial proceedings.

There is no need for a warrant when people broadcast a stream of stupid from their abode, 24/7.

Peak tech! Bacon vending machine signals apex of human invention

Brian Miller Silver badge

Extend RFC 2324

Extend the coffee protocol and support fresh-fried bacon! Really, that's the only way to do it.

Bloodhound SSC reaches the end of the road for want of £25m

Brian Miller Silver badge

No passenger seat

How many people get killed in crosswalks, versus high speed runs? I've been on three hoods, nearly under two buses, and I have no idea how many close calls. And a highly engineered speed run is as dangerous or more so as being a pedestrian? Really?

If they had installed a passenger seat, then I'm sure there would have been investors.

It's nearly 2019, and your network can get pwned through an oscilloscope

Brian Miller Silver badge

This is your oscilloscope...

and this is its network port. This is a tube of glue. The twain shall meet.

And the network cable shall not ever be inserted...

This is up there with the fish tank thermometer that allowed access to a hotel's internal network.

Bomb squad descends on suspicious package to find something much more dangerous – a Journey cassette

Brian Miller Silver badge
Facepalm

Re: That's not what DAT looks like

According to the original news sources, it was, in fact, "Journey’s musical cassette tape." As in, not a DAT tape. The illustrative photograph is correct, but the Reg article is not.

It only took Oz govt transformation bods 6 months and $700k to report that blockchain ain't worth the effort

Brian Miller Silver badge

Done it for cheap

It's a one liner to auto reply for any "does blockchain fix this" email.

"No."

Done.

Forgotten that Chinese spy chip story? We haven't – it's still wrong, Super Micro tells SEC

Brian Miller Silver badge

No trace of spying!

It's very odd that the journalists were not presented with any real evidence. Really, is it so difficult to sniff the glue that holds the ethernet together?

If there was odd network traffic, then it would be nearly child's play to get a packet dump, and show world+dog the data. "Look, here's the data! That's our server IP, that's the other end point, and that's the data." No problem. How many of us do that on a daily basis?

Even if the journalists couldn't understand the data themselves, there are plenty of people who do. Trust me, we'd all love to see that trace.

Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?

Brian Miller Silver badge

Re: Let's not go overboard with this.

Let's arm-chair-design a recreation of this exploit, and see how close we get to the real thing, after all the facts come out, shall we:

I read the original Bloomberg article. The way the article was written, it sounded like the "signal conditioner" chip could connect to the network, by itself! Only later on did it go into "detail" about it modifying the code for the BMC.

What all of this points out is something very important in system design: the CPU should not boot code that it can't verify through a chain of trust. There are a number of commercially available solutions for this, and they have been on the market for years. The concepts have been out there for far longer. Manufacturers have no reason to not pursue secure operation.

The real problem with all of this is the motherboard design has to be modified! If a shared serial bus was modified, then that means that that there will be a signals conflict on the bus to modify instructions. The problem with this is that the commands are like, "Hey, #24, talk to me!" Then #24 talks, and does it blindly. To actually do what the article claims, the chip has to be in series between the CPU and the memory. That would take a change in the traces, etc. So the motherboard would have to be redesigned to incorporate the chip.

Whatever is going on, we aren't getting the full story yet.

US mobe owners will get presidential text message at 2:18 pm Eastern Time

Brian Miller Silver badge

Just hack the system like everybody else, ok?

Seriously, why does the government need to have a special alert system? Can't they just hack it like everybody else? "Oh look at us, we need our own special annoyance tone. Update your OS or you're in violation."

Yes, we've been alerted that we have a president. We knew that already.

Microsoft updates Visual Studio 2017 for devs chewing the CUDA

Brian Miller Silver badge
Joke

With ... power ....

"With Nvidia CUDA 10 comes great AI power and VS compatibility"

Shouldn't that be, "VS responsibility"?

Facebook: Up to 90 million addicts' accounts slurped by hackers, no thanks to crappy code

Brian Miller Silver badge

50 million "snooped", so??

What in the world are people putting up on Facebook that is so important?? "Oh, a bot came by and made a copy of my Facebook info." Hello, it's a service for the technically inept to fill with garbage. "Me am got computer, haz keyboard, make typing."

Privacy != Facebook. If something is private, then you are supposed to keep it off of a public service. "Private" means "this data has been generated in hardware, and cannot be extracted even by de-lidding the chip."

Cisco coughs up baker's dozen of vulns and other security nasties

Brian Miller Silver badge

Re: Vunerabilities are profitable

I think that "can't be patched" is a euphemism for "our code is so rotten and our management and devs are so horrid that we really can't do it."

I worked at a company that produced a network gateway product. The code was written over a ten-year period, and all of the devs were laid off when operations were consolidated and the devs didn't want to relocate. The compiler vendor had gone out of business. Really. And of course the code couldn't be ported to either Borland or Microsoft in a reasonable amount of time, i.e., if you bothered with a port you might as well rewrite all of it. So I fixed bugs in this mess, memory overwrites and bad logic. If I can do it being given a code base in a 20Mb .zip file, the people at Cisco can do it, if they're competent.

Scottish brewery recovers from ransomware attack

Brian Miller Silver badge

Re: Customer caught

Every time I read about, "we lot everything due to ransom-ware," I think about all of the easy, good practices that have been developed over the years. And I think about how they are not followed, because it requires even a minimum of effort.

Good backups means that the recovery process takes place in maybe three to four hours. Bad backups means that data spanning years is lost. Suck it up, and put good practices in place!

You'll never guess what you can do once you steal a laptop, reflash the BIOS, and reboot it

Brian Miller Silver badge

Re: Security vs. convenience

The reason such chips haven't been developed...

No, such chips have been developed, and are commercially available. I work with a number of processors that will happily brick themselves, very nearly on the old "BBIL" (branch on burnt-out indicator light) instruction. One chip I work with has counters, which will cause the device to brick when they hit zero. It also has an array of "fuses" which, you guessed it, when they're all "burned" will cause the device to brick. And of course it's deliberately horribly sensitive to all sorts of environmental fluctuations.

And the chip costs 23 cents in quantities of 1,000.

You are right that the executives wouldn't go for it. I know: on occasion I had to support the sales VP, who just "couldn't" allow a reboot on his machine because the spreadsheet would close. Um, yeah.

The Reg takes the US government's insider threat training course

Brian Miller Silver badge

I think he's revealed a lot of stuff on how NSA operate...

He confirmed what everybody suspected. Yes, we knew NSA is a spook agency. Yes, we knew they are the big crypto spyhouse intercepting everything. Gee, all of this just so confirms it.

The real problem is that Snowden screwed the US security apparatus by deliberately releasing the actual tools being used. This wasn't like that contractor who took work home with him, and then the Kaspersky scanner did what it was supposed to do by default: flag suspicious software and send a copy back for analysis.

Snowden basically did it just to be a jerk, and really nothing more than that. Yes, the spy agencies were/are violating laws. They have always done so, they will always do so. To change the system, change the people in power. Oops, more of the same. Time for torches and pitchforks, then, but wait, the commercial break on the telly is ending...

Y'know what? VoIP can also be free from pesky regulation – US judges

Brian Miller Silver badge

Re: If phone service was unregulated

The original Bell System made a deal with the government to supply phone service to everyone at a reasonable price (including someone requiring lots of telephone poles to reach their residence).

Um, no. As someone who grew up with a "party" line, phone service in rural areas was based on how much you, the individual, were willing to pay. Thus, unless you had serious money, if you had phone service, you got a "party" line, which was a single line shared by multiple people.

And yes, if you lived down a road with no existing service, you had to pay for poles and lines on your own. So the only reasonable thing to do was to wait for someone else to pay, and then pay for your connection. Yes, the utilities still owned all the equipment, even though you paid for all of it.

Top tip? Sprinkle bugs into your code to throw off robo-vuln scanners

Brian Miller Silver badge

Die early, recover quickly

The "false bugs" premise reminds me of the premise of building your software to recover quickly after a crash. I can imagine that it would be quite annoying for a word processor to flicker in and out of existence while writing a document, though.

Now that's a dodgy Giza: Eggheads claim Great Pyramid can focus electromagnetic waves

Brian Miller Silver badge

Re: "building material with the properties of an ordinary limestone is evenly distributed"

Consider the RF properties of a spherical cow, made of metal...

Just because something just happens to have a certain property, doesn't mean that anybody was using it that way. I would love to see an actual RF test of the pyramid, though. That might actually be informative.

Engineers, coders – it's down to you to prevent AI being weaponised

Brian Miller Silver badge
Devil

Mmmmm.... Evil!

The problem here is not the weaponization of AI, but the real lack of it. AI is being used for something like a "smells like terrorism" test, and then humans take that and push a button. There is no feedback to the software that it's done the wrong thing!

When AI is applied to warfare, it should be used the same way as carpet bombing or arclight: Let loose, and stand back. You want the target destroyed by software? It gets destroyed by software. It is the responsibility of those on the trigger and those in charge of them to not pull the trigger, or give the order!

In WWII, the USSR used radio-controlled flame thrower tanks because the Fins were so good at killing tanks with humans inside them. These days we are using remote-controlled mini-bombers.

If the military is going to kill people based on someone scratching their ass the wrong way or shopping habits, then the program is fully in the "Dr. Evil" realm, no two ways about it. This isn't about "the fog of war," because the U.S. isn't in a war. Our borders are not in Syria. One does not halt a problem by random approximation.

Let the AIs fully fight the war, if they are going to be brought into it. Otherwise, the humans should take full responsibility for their actions.

Get rich with Firefox or *(int *)NULL = 0 trying: Automated bug-bounty hunter build touted

Brian Miller Silver badge

void *p = malloc(1024);

strcpy(p, "how now brown cow");

free(p);

/* go about other business, including more malloc()-free() */

strcpy(p, "oh I forgot about the previous call to free()");

/* BORKED! */

There, you now know.

Brits whinging less? About ISPs, networks and TV? It's gotta be a glitch in the Matrix

Brian Miller Silver badge

Re: A better informed and empowered customer base?

... until you say that your PC is using linux where upon they say "we dont support linux" ...

I tell them that I'm running a Mac. Sure, I do actually have a Mac Mini, but that it's unplugged is beside the point.

For €10k, Fujitsu will tell you if your blockchain project is a load of bull

Brian Miller Silver badge

Fundamentals sound, hype is bollocks

The fundamental concept of a block chain is sound, but the hype of everything that is a block chain should be a "crypto-currency" is hype and bollocks.

For instance, a "chain" of video frames, where each frame contains a signature of its predecessor, is a good thing. But unless those video frames are useful, like BOFH blackmail, then its use as a currency is rather limited.

So: is your data useful? No? A blockchain won't help.

Dudes. Blockchain. In a phone. It's gonna smash the 'commoditization of humanity' or something

Brian Miller Silver badge

Like a teenage libertarian having his first few bottles of Thunderbird...

This phrase didn't give anything away, then?

Another data-leaking Spectre CPU flaw among Intel's dirty dozen of security bug alerts today

Brian Miller Silver badge

Re: So what? CPU Errata exist since the first products hit the market...

There's a bit of a difference between errata and "pants down" problems. Yes, AMD has much less of a problem than Intel, but I'll wager that it's inadvertent. I'd believe that it was deliberate if AMD released internal docs showing what security design decisions were made, how they realized the side channel attack could occur, and what could be done about it.

Now that world+dog know, hopefully future chips will have better design. At least the microcode can be updated, unlike the chips of yesteryear.

Boffins want to stop Network Time Protocol's time-travelling exploits

Brian Miller Silver badge

Re: Time NTP was upgraded(See what I did there!)

Unfortunately, things like Blockchain, and a lot of historical trading and other financial systems absolutely need reliable sub-second accuracy in order to record the absolute time of transactions to make sure that a successful sequence is recorded.

True, and PTP (IEEE 1588-2002) is designed for high-accuracy synchronization.

I've had the "fun" of setting up configurations of NTP clusters, and making sure they were actually staying accurate. NTP can, and will, go wonky when the configuration isn't right. I've seen a cluster, with uplink, go out of sync over the weekend, and the cluster's time was a week ahead of where it should have been. Yes, the cluster's time was in sync with itself, but not with its master.

Micro Focus offloads Linux-wrangler SUSE for a cool $2.5bn

Brian Miller Silver badge

Swelling price tag, if not profits

A value that went from $112 million to $2.5 billion, and a miserly growth? I'm not a financials man, but that seems steep for a Linux outfit.

The last time I'd looked at Suse was just after it was acquired by Novel. There wasn't enough to recommend it over Red Hat.

SD cards add PCIe and NVMe, hit 985 MB/sec and 128TB

Brian Miller Silver badge

Spec all you want, tech isn't there

According to SanDisk, the tech isn't there for going above 512Gb. And if you did have a 128Tb card, a read speed of 90Mb/sec would mean you'd be waiting about 40 days for the data transfer to complete.

German researchers defeat printers' doc-tracking dots

Brian Miller Silver badge

Special algorithm not required

After their algorithm identifies the pattern in use, it takes a mask of all possible dot locations in that pattern, and adds extra dots that conform to the layout, but render the code meaningless.

Or you could just use an image filter in the paint program. Really, this is silly. When you know these dots exist, defeating the encoding without special software is trivial, as they note.

Schneier warns of 'perfect storm': Tech is becoming autonomous, and security is garbage

Brian Miller Silver badge

Re: It's a logical conclusion to stopping to educate people

Back in my age, there were mandatory programming lessons at school, and things like data protection were explained on TV even in "Edutainment"-Form.

Back in my age, the one computer room in one of the math classrooms had two Teletype machines with paper tape units, two Ohio Scientific boxes, and a couple of Ataris. Oh, the days of the acoustic couplers! Yes, and the Sperry-Univac 90/40 was state of the art.

So what's been learned between then and now? Nothing. A few years ago I interviewed for a position with a new company, and the fellow in charge told be he knew nothing of the what needed to be done. Frightening. When there are idiots in charge, all chaos follows.

Hot new application for blockchain: How does botnet control sound?

Brian Miller Silver badge

Iora, not Ethereum

Oh my, if those nasty crooks use Iota, and modify it such that you don't do the proof of work, then they'll have their unassailable C&C.

Seriously, anything that uses certs and signing to lock down trust will prevent command injection attacks. Combine directed acyclic graph with game-of-life resiliency rules, and that would be a real monster.

What can you do when the pup of programming becomes the black dog of burnout? Dude, leave

Brian Miller Silver badge

No magic bullet, supid management = stupid management

I read the link about DevOps, and that it means whatever it means. That means that it is snake oil and charlatanism. Really, "left-shifting security" as part of the right-hand side?

After all this time and good studies of planning, design, and development, why does everyone keep pretending that not one blighter out there knows how to write code??

Yes, it is a waterfall process: specify, design, develop, test, deploy. Nothing is fixed in stone, and every step can, and will, cause a jump back to the beginning. If you don't know what to develop, see design. If you don't know what to design, see specification. If you don't have any idea of the specification, maybe you'd best talk to somebody, see what they want, and give them feedback about their hallucinations.

It is true we can't be an expert in all areas. Right now I am working with a consultant who is allergic to C, and wanted to shell out from C to call a scripting language to make a REST call. Yes, really!

So yeah, there is burnout. Burnout actually comes from abuse. When the manager is the enemy, feel free to take a hike. I've done it plenty of times. Don't put up with it, feel free to push off.

Intel chip flaw: Math unit may spill crypto secrets from apps to malware

Brian Miller Silver badge

Re: Homomorphic encryption only option

I was thinking of homomorphic encryption starting with the keyboard input, and then going from there.

Yeah, there's attack vectors everywhere. We all live with it.

Brian Miller Silver badge

Homomorphic encryption only option

Homomorphic encryption is the only valid solution these days. Computationally expensive but what can you do when there is a side channel for everything?

Low AI rollout caused by dumb, fashion-victim management – Gartner

Brian Miller Silver badge

Isn't the testing phase a little worrisome, though? "Here, take these pills, the computer said so." Oops, there was an off-by-one and also a rounding error.

Game over, you're dead. Please stand by to respawn...

"The computer is your friend..."

Korean cryptocoin exchange $30m lighter after hacking attack

Brian Miller Silver badge

Speculative bubble bursts, economy fine

Betting on BitCoin is flat-out gambling. The money people know this, and bet "appropriately." That's why there are such amazing price gyrations against government-backed currencies.

US regains supercomputer crown from Chinese, for now

Brian Miller Silver badge

Recycling

What do they do with all of the old kit? At some point thousands upon thousands of "old" machines will be obsolete for their purposes. Presumably a supercomputer kit has a shorter life cycle than commercial kit.

Anybody know?

Crappy IoT on the high seas: Holes punched in hull of maritime security

Brian Miller Silver badge

220,000 tons IoT

A ship is a thing. It has been connected to world + dog with all of the security of a $20 web cam.

I'd read about these vulnerabilities years back, and silly me, I thought somebody had taken the problem seriously.

Oh well.

Experts build AI joke machine that's about as funny as an Adam Sandler movie (that bad)

Brian Miller Silver badge

Re: Start it off with an easier challenge

I've seen better stuff from a random phrase generator. Come to think of it, that's what most of the AI output has been like. Perhaps what we've really found is a completely different way of implementing random data generation based on an input data set.

If you have cash to burn, racks to fill, problems to brute-force, Nvidia has an HGX-2 for you

Brian Miller Silver badge

Bypass: psychedelica

OK, you've gone and trained your AI. You've spent God only knows how much only to be defeated by tie-dye psychedelic clothes and prismatic reflectors. That, and even with "good" data your algorithm has devised a new way to recognize grass and differentiate between sunny and cloudy days.

Somehow, this feels like big data for the sake of big data. How much of any of this has improved sales? "We implemented AI in the sales department, and gross profits lept 50%." Maybe not. Has AI picked stocks better than a dart board? Not that I've heard. IBM fired most people in Watson Health. The killer AI app is autopilot for cars.

Snake oil and suckers, and then do it on a computer.

Epyc fail? We can defeat AMD's virtual machine encryption, say boffins

Brian Miller Silver badge

Re: Yes, hardware.

@ YetAnotherJoeBlow

But it has to be executed to be tested! That's the problem with code. A lot of errors only manifest during run time. And from poking my nose in the research paper, this seems like it's the result of some kind of race condition. Something like this is unlikely evident in reading the source.

Also, I don't know of either AMD or Intel ever publishing their microcode, for anything.

Brian Miller Silver badge

Re: Here we go again

why don't we throw this out in a repo and see what becomes of it.

Hello? Hardware? Built into the chip??

All of this stuff is on the CPU die. Nobody is going to go and fab up a monster server chip for grins and giggles and have a go at it.

It's quite possible that some of these security problems were likely reviewed by their teams, and they figured that they'd have to make a trade-off. Perhaps AMD can do something with a microcode update, perhaps not.

Trio indicted after police SWAT prank call leads to cops killing bloke

Brian Miller Silver badge

Officer could still face charges

Wichita police officer Justin Rapp could still face federal charges. The feds have brought charges when local officers have been exonerated by the local DA.

Uber robo-ride's deadly crash: Self-driving car had emergency braking switched off by design

Brian Miller Silver badge

State of pedestrian irrelevant

The pedestrian does not control the car. It is up to the driver to do so. Since the pedestrian was detected six seconds before impact, the car should have been slowing, if not actively applying the brakes.

Samsung loses (again) to Apple in patent battle (again). This time to the tune of a mere $539m

Brian Miller Silver badge

Apple rips off Xerox, sues world+dog

Apple is such the design innovator. Or maybe not. Too bad Xerox waited too long to file a lawsuit against Apple. Maybe Samsung should claim preexisting designs and demonstrate it with all of the Xerox UI features.

As Tesla hits speed bump after speed bump, Elon Musk loses his mind in anti-media rant

Brian Miller Silver badge

Let the experiment begin!

So Musk plans to set up a website to rate the media on the web. Hey, go for it! Everybody just needs another button to click on the web!

Now, will they have read the article before rating it?

Microsoft, Google: We've found a fourth data-leaking Meltdown-Spectre CPU hole

Brian Miller Silver badge

Re: Its quite depressing really

They aren't copying each other, it's just that there's only so many ways to make something execute more instructions faster. And yes, speed is freaking important.

There are a lot of timing attacks and other side channels that yield information. One of the important points of all of this is that too many applications don't encrypt sensitive data, even with minimal encryption.

It's World (Terrible) Password (Advice) Day!

Brian Miller Silver badge

Re: What's the point?

But logs don't grab passwords, the computers store them there because the programmers wrote logging statements putting them there!

Come to think of it, can you imagine a computer system where systems are individually sentient? "The logging system grabbed that info because it suffers from kleptomania, and it's also a hoarder." "I keep getting spam in my inbox because the mail system feels that my love life needs improvement." "The compiler has been taking hits off the bong again."

Brian Miller Silver badge
FAIL

What's the point?

There's just been two articles about very popular sites writing passwords in plain text, so what's the point of the complexity when the website writes it out in plain text, stores it in plain text, and sometimes spafs it all to world+dog+gerbil because ... ah, what's the latest excuse for stupid, anyways?

Really, I don't trust the password managers, so I've been keeping password in a text file. The passwords just happen to be individually encrypted in AES256. Yes, they are random passwords.

But again, WTF is the point when assorted websites totally fail at their end to have any sense of security?

AWS sends noise to Signal: You can't use our servers to beat censors

Brian Miller Silver badge

Privacy != anonymity, roll you own!

I had to spend a bit of time reading up on the treatise about "Blocking-resistant communication through domain fronting."

#1, Using an implementation detail to avoid censorship means that real owners of said services and domains can change said details at a whim.

#2. Just because TLS doesn't hide everything you want it to hide, doesn't mean you can't roll your own protocol!

Solution: roll your own protocol. DNS-alike, TLS-alike, etc. There are lots of ways to keep a distributed network up and running without ever hitting a DNS server. These guys need to look for someone with network protocol experience, not app developers.

Page:

Biting the hand that feeds IT © 1998–2019