* Posts by Brian Miller

1081 posts • joined 3 Jul 2007

Page:

For €10k, Fujitsu will tell you if your blockchain project is a load of bull

Brian Miller
Silver badge

Fundamentals sound, hype is bollocks

The fundamental concept of a block chain is sound, but the hype of everything that is a block chain should be a "crypto-currency" is hype and bollocks.

For instance, a "chain" of video frames, where each frame contains a signature of its predecessor, is a good thing. But unless those video frames are useful, like BOFH blackmail, then its use as a currency is rather limited.

So: is your data useful? No? A blockchain won't help.

5
0

Dudes. Blockchain. In a phone. It's gonna smash the 'commoditization of humanity' or something

Brian Miller
Silver badge

Like a teenage libertarian having his first few bottles of Thunderbird...

This phrase didn't give anything away, then?

4
0

Another data-leaking Spectre CPU flaw among Intel's dirty dozen of security bug alerts today

Brian Miller
Silver badge

Re: So what? CPU Errata exist since the first products hit the market...

There's a bit of a difference between errata and "pants down" problems. Yes, AMD has much less of a problem than Intel, but I'll wager that it's inadvertent. I'd believe that it was deliberate if AMD released internal docs showing what security design decisions were made, how they realized the side channel attack could occur, and what could be done about it.

Now that world+dog know, hopefully future chips will have better design. At least the microcode can be updated, unlike the chips of yesteryear.

14
4

Boffins want to stop Network Time Protocol's time-travelling exploits

Brian Miller
Silver badge

Re: Time NTP was upgraded(See what I did there!)

Unfortunately, things like Blockchain, and a lot of historical trading and other financial systems absolutely need reliable sub-second accuracy in order to record the absolute time of transactions to make sure that a successful sequence is recorded.

True, and PTP (IEEE 1588-2002) is designed for high-accuracy synchronization.

I've had the "fun" of setting up configurations of NTP clusters, and making sure they were actually staying accurate. NTP can, and will, go wonky when the configuration isn't right. I've seen a cluster, with uplink, go out of sync over the weekend, and the cluster's time was a week ahead of where it should have been. Yes, the cluster's time was in sync with itself, but not with its master.

4
0

Micro Focus offloads Linux-wrangler SUSE for a cool $2.5bn

Brian Miller
Silver badge

Swelling price tag, if not profits

A value that went from $112 million to $2.5 billion, and a miserly growth? I'm not a financials man, but that seems steep for a Linux outfit.

The last time I'd looked at Suse was just after it was acquired by Novel. There wasn't enough to recommend it over Red Hat.

5
4

SD cards add PCIe and NVMe, hit 985 MB/sec and 128TB

Brian Miller
Silver badge

Spec all you want, tech isn't there

According to SanDisk, the tech isn't there for going above 512Gb. And if you did have a 128Tb card, a read speed of 90Mb/sec would mean you'd be waiting about 40 days for the data transfer to complete.

2
1

German researchers defeat printers' doc-tracking dots

Brian Miller
Silver badge

Special algorithm not required

After their algorithm identifies the pattern in use, it takes a mask of all possible dot locations in that pattern, and adds extra dots that conform to the layout, but render the code meaningless.

Or you could just use an image filter in the paint program. Really, this is silly. When you know these dots exist, defeating the encoding without special software is trivial, as they note.

0
0

Schneier warns of 'perfect storm': Tech is becoming autonomous, and security is garbage

Brian Miller
Silver badge

Re: It's a logical conclusion to stopping to educate people

Back in my age, there were mandatory programming lessons at school, and things like data protection were explained on TV even in "Edutainment"-Form.

Back in my age, the one computer room in one of the math classrooms had two Teletype machines with paper tape units, two Ohio Scientific boxes, and a couple of Ataris. Oh, the days of the acoustic couplers! Yes, and the Sperry-Univac 90/40 was state of the art.

So what's been learned between then and now? Nothing. A few years ago I interviewed for a position with a new company, and the fellow in charge told be he knew nothing of the what needed to be done. Frightening. When there are idiots in charge, all chaos follows.

20
0

Hot new application for blockchain: How does botnet control sound?

Brian Miller
Silver badge

Iora, not Ethereum

Oh my, if those nasty crooks use Iota, and modify it such that you don't do the proof of work, then they'll have their unassailable C&C.

Seriously, anything that uses certs and signing to lock down trust will prevent command injection attacks. Combine directed acyclic graph with game-of-life resiliency rules, and that would be a real monster.

2
0

What can you do when the pup of programming becomes the black dog of burnout? Dude, leave

Brian Miller
Silver badge

No magic bullet, supid management = stupid management

I read the link about DevOps, and that it means whatever it means. That means that it is snake oil and charlatanism. Really, "left-shifting security" as part of the right-hand side?

After all this time and good studies of planning, design, and development, why does everyone keep pretending that not one blighter out there knows how to write code??

Yes, it is a waterfall process: specify, design, develop, test, deploy. Nothing is fixed in stone, and every step can, and will, cause a jump back to the beginning. If you don't know what to develop, see design. If you don't know what to design, see specification. If you don't have any idea of the specification, maybe you'd best talk to somebody, see what they want, and give them feedback about their hallucinations.

It is true we can't be an expert in all areas. Right now I am working with a consultant who is allergic to C, and wanted to shell out from C to call a scripting language to make a REST call. Yes, really!

So yeah, there is burnout. Burnout actually comes from abuse. When the manager is the enemy, feel free to take a hike. I've done it plenty of times. Don't put up with it, feel free to push off.

5
0

Intel chip flaw: Math unit may spill crypto secrets from apps to malware

Brian Miller
Silver badge

Re: Homomorphic encryption only option

I was thinking of homomorphic encryption starting with the keyboard input, and then going from there.

Yeah, there's attack vectors everywhere. We all live with it.

1
1
Brian Miller
Silver badge

Homomorphic encryption only option

Homomorphic encryption is the only valid solution these days. Computationally expensive but what can you do when there is a side channel for everything?

3
7

Low AI rollout caused by dumb, fashion-victim management – Gartner

Brian Miller
Silver badge

Isn't the testing phase a little worrisome, though? "Here, take these pills, the computer said so." Oops, there was an off-by-one and also a rounding error.

Game over, you're dead. Please stand by to respawn...

"The computer is your friend..."

0
0

Korean cryptocoin exchange $30m lighter after hacking attack

Brian Miller
Silver badge

Speculative bubble bursts, economy fine

Betting on BitCoin is flat-out gambling. The money people know this, and bet "appropriately." That's why there are such amazing price gyrations against government-backed currencies.

9
0

US regains supercomputer crown from Chinese, for now

Brian Miller
Silver badge

Recycling

What do they do with all of the old kit? At some point thousands upon thousands of "old" machines will be obsolete for their purposes. Presumably a supercomputer kit has a shorter life cycle than commercial kit.

Anybody know?

4
0

Crappy IoT on the high seas: Holes punched in hull of maritime security

Brian Miller
Silver badge

220,000 tons IoT

A ship is a thing. It has been connected to world + dog with all of the security of a $20 web cam.

I'd read about these vulnerabilities years back, and silly me, I thought somebody had taken the problem seriously.

Oh well.

25
0

Experts build AI joke machine that's about as funny as an Adam Sandler movie (that bad)

Brian Miller
Silver badge

Re: Start it off with an easier challenge

I've seen better stuff from a random phrase generator. Come to think of it, that's what most of the AI output has been like. Perhaps what we've really found is a completely different way of implementing random data generation based on an input data set.

3
0

If you have cash to burn, racks to fill, problems to brute-force, Nvidia has an HGX-2 for you

Brian Miller
Silver badge

Bypass: psychedelica

OK, you've gone and trained your AI. You've spent God only knows how much only to be defeated by tie-dye psychedelic clothes and prismatic reflectors. That, and even with "good" data your algorithm has devised a new way to recognize grass and differentiate between sunny and cloudy days.

Somehow, this feels like big data for the sake of big data. How much of any of this has improved sales? "We implemented AI in the sales department, and gross profits lept 50%." Maybe not. Has AI picked stocks better than a dart board? Not that I've heard. IBM fired most people in Watson Health. The killer AI app is autopilot for cars.

Snake oil and suckers, and then do it on a computer.

10
0

Epyc fail? We can defeat AMD's virtual machine encryption, say boffins

Brian Miller
Silver badge

Re: Yes, hardware.

@ YetAnotherJoeBlow

But it has to be executed to be tested! That's the problem with code. A lot of errors only manifest during run time. And from poking my nose in the research paper, this seems like it's the result of some kind of race condition. Something like this is unlikely evident in reading the source.

Also, I don't know of either AMD or Intel ever publishing their microcode, for anything.

16
0
Brian Miller
Silver badge

Re: Here we go again

why don't we throw this out in a repo and see what becomes of it.

Hello? Hardware? Built into the chip??

All of this stuff is on the CPU die. Nobody is going to go and fab up a monster server chip for grins and giggles and have a go at it.

It's quite possible that some of these security problems were likely reviewed by their teams, and they figured that they'd have to make a trade-off. Perhaps AMD can do something with a microcode update, perhaps not.

22
1

Trio indicted after police SWAT prank call leads to cops killing bloke

Brian Miller
Silver badge

Officer could still face charges

Wichita police officer Justin Rapp could still face federal charges. The feds have brought charges when local officers have been exonerated by the local DA.

13
1

Uber robo-ride's deadly crash: Self-driving car had emergency braking switched off by design

Brian Miller
Silver badge

State of pedestrian irrelevant

The pedestrian does not control the car. It is up to the driver to do so. Since the pedestrian was detected six seconds before impact, the car should have been slowing, if not actively applying the brakes.

77
1

Samsung loses (again) to Apple in patent battle (again). This time to the tune of a mere $539m

Brian Miller
Silver badge

Apple rips off Xerox, sues world+dog

Apple is such the design innovator. Or maybe not. Too bad Xerox waited too long to file a lawsuit against Apple. Maybe Samsung should claim preexisting designs and demonstrate it with all of the Xerox UI features.

22
15

As Tesla hits speed bump after speed bump, Elon Musk loses his mind in anti-media rant

Brian Miller
Silver badge

Let the experiment begin!

So Musk plans to set up a website to rate the media on the web. Hey, go for it! Everybody just needs another button to click on the web!

Now, will they have read the article before rating it?

20
1

Microsoft, Google: We've found a fourth data-leaking Meltdown-Spectre CPU hole

Brian Miller
Silver badge

Re: Its quite depressing really

They aren't copying each other, it's just that there's only so many ways to make something execute more instructions faster. And yes, speed is freaking important.

There are a lot of timing attacks and other side channels that yield information. One of the important points of all of this is that too many applications don't encrypt sensitive data, even with minimal encryption.

20
3

It's World (Terrible) Password (Advice) Day!

Brian Miller
Silver badge

Re: What's the point?

But logs don't grab passwords, the computers store them there because the programmers wrote logging statements putting them there!

Come to think of it, can you imagine a computer system where systems are individually sentient? "The logging system grabbed that info because it suffers from kleptomania, and it's also a hoarder." "I keep getting spam in my inbox because the mail system feels that my love life needs improvement." "The compiler has been taking hits off the bong again."

5
0
Brian Miller
Silver badge
FAIL

What's the point?

There's just been two articles about very popular sites writing passwords in plain text, so what's the point of the complexity when the website writes it out in plain text, stores it in plain text, and sometimes spafs it all to world+dog+gerbil because ... ah, what's the latest excuse for stupid, anyways?

Really, I don't trust the password managers, so I've been keeping password in a text file. The passwords just happen to be individually encrypted in AES256. Yes, they are random passwords.

But again, WTF is the point when assorted websites totally fail at their end to have any sense of security?

12
1

AWS sends noise to Signal: You can't use our servers to beat censors

Brian Miller
Silver badge

Privacy != anonymity, roll you own!

I had to spend a bit of time reading up on the treatise about "Blocking-resistant communication through domain fronting."

#1, Using an implementation detail to avoid censorship means that real owners of said services and domains can change said details at a whim.

#2. Just because TLS doesn't hide everything you want it to hide, doesn't mean you can't roll your own protocol!

Solution: roll your own protocol. DNS-alike, TLS-alike, etc. There are lots of ways to keep a distributed network up and running without ever hitting a DNS server. These guys need to look for someone with network protocol experience, not app developers.

4
9

BOFH: Guys? Guys? We need blockchain... can you install blockchain?

Brian Miller
Silver badge

Re: The value of IoT

IoT devices have value, when they do something useful. For instance, the IoT keyboard and mouse for the boss, to "enhance productivity."

"But that didn't come from me!"

"Yes, it did. You were in your office alone, and that was typed in from your keyboard while you were seated in your chair. Ergo, you typed that."

"But I didn't type that! Surely, there must be some way to prove that."

"Yes, the security measures you had us implement can now definitively prove that those words in that email were typed by your keyboard while you were seated at your desk."

9
0

Oh dear... Netizens think 'private' browsing really means totally private

Brian Miller
Silver badge

It's the Internet, all your privacy are belong to them!

Well, I usually use Firefox, NoScript, and Cookie AutoDelete. Of course my main OS is Linux.

That just means I get generic junk ads, instead of targeted junk ads. It does not mean that I am totally anonymous on the information superhighway. My IP gets passed around in the background among ad servers, instead of individual cookie information. Since JavaScript is usually disabled, there isn't anything there to run that I don't know about. And of course I restart my browser regularly.

But of course, didn't anybody mention that "privacy" does not equate to "anonymity?"

15
3

Turn that bachelor pad into a touch pad: Now you can paint buttons, sensors on your walls

Brian Miller
Silver badge
Facepalm

Scientists find the obvious!

It makes me cringe when I see things like this. Look! Men with PhDs have recently discovered decades-old knowledge! Next, photoelectric cells will be used to cause doors to open.

Other obvious things: cameras can watch people, and when they make special movements, computers can make things happen, too!

Did someone not notice the 1930s World Fair? Elektro, wherefore art thou?

17
4

AWS DNS network hijack turns MyEtherWallet into ThievesEtherWallet

Brian Miller
Silver badge

Clicking through warnings

The problem here is that users can be fooled, easily. Years ago I demonstrated to a fellow with multiple doctorates that I could hijack eBay on the LAN and intercept all SSL traffic. I pointed out to him that the certificate wasn't signed, which of course showed all of the warnings, etc. He said that if I hadn't walked him through the whole process, he would have never realised something was wrong.

A lot of sites still sport self-signed certificates. Some ecommerce, some government, and of course personal sites. That's what trains people to just click through regardless of the warnings.

6
1

OK, this time it's for real: The last available IPv4 address block has gone

Brian Miller
Silver badge

"Nobody uses it..."

Yeah, we need to move to IPv6, but I keep getting told, nobody uses it, so the software doesn't get developed for it. That's inertia for you.

8
0

Microsoft has designed an Arm Linux IoT cloud chip. Repeat, an Arm Linux IoT cloud chip

Brian Miller
Silver badge

ARM != IDIoT

Microsoft also gets the benefit of an even wider net to catch various bad actors. Now, Redmond can tell its enterprise customers it monitors IoT devices and can catch those high profile botnets and big news threats. Getting potentially billions of new info sources under the umbrella will only help Microsoft sell its other big-money security products.

Everybody has an enormous net to snag botnets, just leave a cheap device open on the net, and monitor it. Years ago I ran a honeypot at home, and attacks on an anonymous IP connection were 500-1500 per day. Mostly it was from my network neighbors.

Just because something is running on an ARM processor, doesn't necessarily make it an insecure device. It's how the developers quickly slopped an implementation together, and threw it out the door. I do trust everybody saw the article about the casino hack through the fish tank thermometer?

23
0

Cisco backs test to help classical crypto outlive quantum computers

Brian Miller
Silver badge
Joke

Why did they name it ...

Sphincs? Sure, there's a good reason for it, but if flaws are found, the results will be: Sphincter, diarrhea, and every single related Captain Obvious pun.

Choose project names carefully! :p

1
0

Get ready for the Internet of Battle Things, warns US Army AI boffin

Brian Miller
Silver badge

Re: Encryption

Yeah, which will go out of sync immediately, or the connected battle helmets will start spewing spam and Viagra ads.

But on the plus side, we'll only be able to field just a platoon of troops, because the kit will be so expensive that's all the government will be able to afford. That's how casualties will be reduced!

1
0

They're back! 'Feds only' encryption backdoors prepped in US by Dems

Brian Miller
Silver badge

Embarrassment of Advisors

Earlier this year, the FBI was formally asked to disclose who the experts are that are telling the agency it is possible to create a secure Feds-only backdoor. It has so far refused to do so.

You wouldn't reveal your sources, either, when you've been advised by Santa Clause, the Tooth Fairy, and wished upon a star.

Maybe by the aliens in area 51, too.

19
0

Shhh! Don’t tell KillBots the UN’s about to debate which ones to ban

Brian Miller
Silver badge

Re: Coward Remote Murder Machines

I don't believe that we're going back to swords and clubs soon, eschewing cowardly arrows. Plus, when the machines rise up, they'll be killing pesky humans far more efficiently than the way we do things.

1
0

Super Cali goes ballistic, Starbucks is on notice: Expensive milky coffee is something quite cancerous

Brian Miller
Silver badge

Re: the judge who cried wolf?

Acrylamide is also in anything fried, baked or roasted. So yes, toast, steak, sausage and bacon, and well just about everything cooked. So either eat your food raw or boiled, and you might be all right.

Maybe.

34
0

Microsoft patches patch for Meltdown bug patch: Windows 7, Server 2008 rushed an emergency fix

Brian Miller
Silver badge

Yet another PITA

Er, pain patch in the asset.

15
0

It's baaack – WannaCry nasty soars through Boeing's computers

Brian Miller
Silver badge

"... this is not a production and delivery issue."

Yep, not gonna affect production and delivery. Just testing that everything works OK...

3
0

Internet of insecure Things: Software still riddled with security holes

Brian Miller
Silver badge

IoT covers many things. What comes to mind are "smart" guns. The imagination runs rampant with software cockups and high velocity projectiles.

0
0

We need to go deeper: Meltdown and Spectre flaws will force security further down the stack

Brian Miller
Silver badge

Re: More to come?

The biggest problem is developers have the illusion that plain text is secure. It isn't, ever. Even a drive that is locked in a safe isn't secure when the safe gets cracked and the drive gets lifted.

The best solution I've seen is to use a cryptographic accelerator and the plain text keys and passwords are never to be found in system memory. You can't read something that's sitting over an isolated bus.

Unfortunately there are too many developers that believe that permissions equate to security. If they even go that far, that is.

2
0

Good news: The only thing standing between NASA and $20bn is...

Brian Miller
Silver badge

Re: Wish it had been vetoed

2ft tall, oh the arbority(?)!

A while back there was an article about the UK govt requiring that laws be copied to velum. Now, if the laws of the US were hand-copied to velum before the vote, just think how legislation would change! "Sorry, but we're still working on the bills from last year..." "You need it when? Well, make it shorter!"

13
0

Nine Iranians accused of cyber-swiping 30TB+ of blueprints from unis, biz on Tehran's orders

Brian Miller
Silver badge
FAIL

Encryption, anyone?

A little while back, I received a letter from a local university. The letter stated that a safe had been cracked, and a hard drive had been stolen. I was receiving this letter because the drive had my SSN! Did I attend the university? No. Did I ever consent to them possessing my data? No. But there it was, pilfered from a safe. Of course they offered me credit monitoring for a year with a known (and worthless) agency.

But if they, and the other universities, had used encryption, it wouldn't have mattered!

Unless they thought encryption consisted of ROT13...

5
0

US mulls drafting gray-haired hackers during times of crisis

Brian Miller
Silver badge

Right way, wrong way, military way

"Where you end up is not based on willingness or aptitude."

No, really? When I was in, many moons ago, the computer MOS were so full that you'd be waiting for three years out of a four year hitch before you touched a keyboard. If they want more people with computer skills, they should look at Signal for them. Lots of clever guys there.

But what happens after one gets in is nearly random chance. Competence is not a core criteria.

3
2

FYI: AI tools can unmask anonymous coders from their binary executables

Brian Miller
Silver badge

Reproducibility

Take a look at the source code of theirs on Github. Decompiling binaries back to C is so messed up it's not funny. Sure, they got something. However, this is something that bears examination, and I really question what they did. How much picking and choosing did they do for their data sets? Did they throw out code that didn't reliably decompile? Because I have some stuff I'd like to see how the Snowman decompiler does on it.

Also, their "obfuscation" was a bit on the trivial side, using the llvm obfuscator.

I would like to see more work on this, and see if this is reproducible with different compilers, different options, etc. They seem to have tried one thing at a time, and not combinations.

4
0

Samba settings SNAFU lets any user change admin passwords

Brian Miller
Silver badge

--lock-pwchange too late

Was I the only one who read --lock-pwchange as --lock-pwnage?

2
0

Cavalry riding to the rescue of DDoS-deluged memcached users

Brian Miller
Silver badge

Slow?

It seems the slow business of getting memcached hidden behind firewalls...

Slow? No, more like lethargic, or, given the circumstance, slothful.

It doesn't take that long to write good iptables rules.

2
1

FBI chief asks tech industry to build crypto-busting not-a-backdoor

Brian Miller
Silver badge
FAIL

Encryption backdoor takes it up the ...

If the FBI "experts" ever bother to take a look at cryptography, that would be wonderful. "I can haz cheezeburger encryption and a pass key..."

A weighted M of N scheme would work for what they want. Unfortunately, these "expert" nitwits can't be bothered to get off their butts and just learn about concepts that secure quite a lot of things, and actually secure things very nicely.

But let's face it: if it were legislated that phones used M of N, that wouldn't help with the apps on the phones. They would only see everything that's been coming and going to the phone, for which they already have the log files!

So Mr Drug Dealer uses a secure app, which encrypts its own messages separately. There's still the matter that who talked to whom and when is still known, so they can still grab somebody for a few days for quality time in a chair under bright lights.

I still have my "Sink Clipper" t-shirt. Same thing applies now. They might as well mandate ROT13 as the new standard.

6
0

Page:

Forums

Biting the hand that feeds IT © 1998–2018