* Posts by Lee D

3029 posts • joined 14 Feb 2013

Happy Thursday! 770 MEEELLLION email addresses and passwords found in yuge data breach

Lee D Silver badge

As a demo, HaveIBeenPwned also lets you search for anything@yourdomainname.

I get the following:

The address I use to report brokenlinks on my website.

The address I use as complete junk that doesn't even deliver any more (just bounces anything incoming email with a rude server message)

About 14 variations of the above junk (with appended letters, cut-off short, etc. so obviously lots of spam software suffers from off-by-ones!)

A handful of addresses given to companies that were compromised (including places like Kickstarter, SolarWinds, 1&1 and Macromedia).

Two addresses used to sign up on forums I used to frequent.

Two addresses used on public Usenet mailing lists

20-30 literal made up rubbish that has never existed at my domain (more off-by-ones, e.g. "real" usernames that are alphabetically close to addresses that do exist, but not at my domain).

Most of these things are just everyday compromises of forums and stuff, and using one GMail address to sign up for them all is just asking for trouble. Presumably at least some of those accounts had their passwords compromised too, not just the email address.

These people can't be trusted to keep your account information secure from spambots or password compromises. So use unique addresses and passwords, and then manage them all from one place, including terminating them if compromised and not using those companies again.

Lee D Silver badge

Stop using one email address.

Buy a domain. Make a new address at that domain for each service. If a service is compromised, throw it away / block it, and use another.

Have them all redirect to... whatever you want. Like a GMail. If that gets compromised, you just point the domain at a fresh account and you don't have to go and change everything.

Costs pennies a year. Takes about 20 minutes to set up even in the worst case. Gives you infinite email addresses (and ones to put in spam forms that you have to supply an email). Let's you keep the same emails on services forever, and change to whatever provider you like at any time.

HSBC suggests it might have found a... use for blockchain?

Lee D Silver badge

Re: Probably different model

Absolutely.

Bitcoins are basically generated by an anti-spam measure to stop one person hoarding all the coins without a proportional expense/effort on their part. You could have literally let people get a Bitcoin just by sending an email to an automated address, if you'd wanted, and used that as the ledger entry.

A ledger itself, though, just needs to know who made the transaction, who signed off on it, who can revoke it, and then put it into the ledger. Importantly, even complete compromise of their key cannot erase the history of what that key did, as each transaction is in effect "signed" by the next (basically the core idea of blockchain).

Think of it not like Bitcoin but like those play-by-mail games of old. You collect the transactions, perform the calculations, and modify the "database" in the middle. Then you send out the results of the next "round", everyone else can see the effects of those new results and "previous moves" but you can't change them.

The only difference is that instead of one person performing the calculations, you're publishing the data, letting everyone do the calculations at the same time, waiting for everyone to agree what the result is, and then having everyone sign off on that result.

Bitcoin does that, WHILE solving a pointless maths problems that's hard to solve (I believe it is literally "hashing the entire existing blockchain with random numbers until the hash results in 00000000000000000000000" - or it certainly was at one point). It's literally a time-effort-and-money-burning exercise so that there's something that has to happen to make a coin.

Lee D Silver badge

Re: immutability provided by DLT

At a minimum, I'd expect that they'd need 51% of co-operating foreign exchanges to recognise the transaction as valid before it could be "falsified" into the blockchain.

Coin-based blockchain attacks are when malicious users own 51% of your blockchain AND you choose to recognise their branch of the blockchain as definitive.

There's two different things at play, and a distributed ledger is going to have a lot more control stopping you getting 51% of the ledger under your control - maybe even by the simple precept of "there are only a hundred master nodes and HSBC control 20, another bank controls another 20, etc.)

Lee D Silver badge

Re: Truth

"To execute the attack, the miner acquired at least 51 percent of the network’s total hashpower, which provided them with temporary control of the blockchain"

Sure, if one malicious entity is able to enter arbitrary transactions against your network without your knowledge, after taking control of half the people able to enter transactions on said network (note, this wouldn't include *users* or people *viewing* the chain to verify transactions, only those capable of making their own).

I think you'll find that any distributed ledger would be vulnerable to attack in such a circumstance.

You're literally asking "half-the-world's foreign-exchange banks" to collude to make a transaction that the others will accept as genuine, in a way that's blindingly obvious, flags all kinds of warnings immediately, and would only proceed if you were stupid enough to not put decent checks in your system and wait for the right number of verifications from trusted entities - at that point, you have bigger problems than what you use to record that transaction.

Army had 'naive' approach to Capita's £1.3bn recruiting IT contract, MPs told

Lee D Silver badge

Re: Actually...

Loads.

They all cost twice as much, because they just account for things properly, so it's seen as a "saving" to not use them, even if people make a royal mess.

What they should do is fund prototype creation, test with users, and do it in a double-blind fashion so that the people using and specifying the system has ZERO idea what it costs, and the people offering the systems have no idea how much the other guy paid.

Then you can literally tie them down to "this works like junk, here, take you £10k pilot investment and get out", "This needs to work in the final product, will it work? What kind of speed?", "I'd like you to implement this change in the prototype, here's another £10k", etc. until people are happy with the system and that it does what they need. Then sign off on it working. THEN get into whether it's value for money only at the very final stage once you've got rid of all the rubbish systems.

The D in SystemD stands for Dammmit... Security holes found in much-adored Linux toolkit

Lee D Silver badge

Systemd suffers from many problems.

1) It was supposed to "replace all those shell scripts". And it did so. For some of them. With opaque C code that's vulnerable to all kinds of overflow and means you can't simply modify it without being a full-on programmer running a modified systemd binary.

2) It was supposed to "resolve all the dependency issues". Which it does... mostly. But via ways that basically require interpreting plain-text configuration files and spawning processes that could have been done in ANY language... including shell scripts. I see nothing that systemd does in this regard that a suitably intelligent single daemon couldn't manage without having to be tied into EVERYTHING. It uses new-kernel features to do some things like process groups, etc. but that's because they *didn't exist* in the kernel many years ago.

3) It tries to replace, rather than utilise or supplement, every service it touches. From "init dependency", it now replaces entirely your local DNS server, syslogging functionality, NTP, network interfaces, hardware detection, etc. and it just rides roughshod over everything, removes all your existing daemons and doesn't even try to do the rest of their jobs.

4) It replaces logging - in the same way that it replaces init/config... it could have just started with a backwards-compatible plain-text log-file but provided a tool that searches and filters them as per its current way of operating, without replacing the way EVERYTHING logs so that you can no longer just cat a log from /var/logs and expect it to be there, or contain the information you want, without going in and basically telling it to do so manually. And debugging what syslog itself is doing is a nightmare of filtering logs.

5) In the end... my computer used to boot up and work and be configurable and was pretty secure. Now it boots up (usually), works (usually), is pretty opaque (yes, I'm sure there's a way to "do" all those things, but it's nowhere near obvious) and is subject to things like vulnerabilities in a root-level binary process that doesn't drop privileges in order to do things like logging a multi-megabyte syslog message safely. Simple ways to add new startup services etc. are no longer simple, backward compatibility with old init configurations is gone, etc. I literally have no idea what it's going to do in what order any more. And it's literally no faster to boot or operate.

I see no problem that systemd "solved" (maybe some cloud-computing datacenter manager has something useful in there, for me as a mere mortal running networks and using a computer at home) - all it did was replace a system I could read and edit with one that I don't stand a chance of doing so without recompiling the equivalent of "init". For a problem that we could have solved in a bash script, while retaining backward compatibility until the natural advantages of it showed themselves.

As far as systemd is concerned - I just boot my distro. If it doesn't boot, or doesn't boot properly, then that's game over. I can do nothing. I don't see that as a plus in any way. In fact, it makes me nervous on every kernel or systemd upgrade that my distros put out. And I will back all problems in it back to the distro, whether by "not using it" or by making a fuss.

When we start getting root-level holes in these things because of simple things like "syslogging a large message" then it's really time to abandon it. Keep the config. Keep the syntax. Keep the same binary name, if you like (for compatibility - I never got why ipchains had to be replaced with iptables when you could have just made both be an alias to iptables which converted the older to the newer if it was ever invoked that way - and now it's no longer iptables either, and so on). Take "what systemd does" and get an equivalent that we can actually understand and use and fix easily.

I consider it a little like DBus and NetworkManager. Suddenly huge dependencies on DBus and X-Windows on everything you touch for no real reason, opaque and conflicting processes all trying to do simple things, and no way to really manage what's going on and instead you have to just "trust in the distro". Literally the core principle of open-source is out of the window not through closure of source, but through layers of obfuscation between the user and what the system is doing.

It wouldn't be so bad if it was a tiny collection of small utilities, one per job, that were replaceable and auditable, but it's now hundreds of thousands of lines of C.

Sorry, Samsung. Seems nobody is immune to peak smartphone

Lee D Silver badge

Stopped at the Samsung Galaxy S5 Mini.

When you start putting back things like removable batteries, not terminating Android version upgrades a year after release, putting the headphone ports back in, and none of the ridiculous race-to-the-uncomfortably-thin/fragile/irreparable, then maybe we can talk. Oh, and stop changing the USB connector.

Oh, and make it a couple of hundred quid, rather than several week's wages.

Encryption? This time it'll be usable, Thunderbird promises

Lee D Silver badge

Re: The only reason "everyone" runs Outlook is because "everyone" uses Exchange.

Samba is used for SMB/CIFS file access. It works. And a lot of devices have it (most is pushing it... most Android tablets would never ship with Samba by default, there are apps to be SMB clients, for example - sure, NAS, media centers maybe, etc. but otherwise no).

But that's just one tiny feature - with no authentication whatsoever. That's the "home user accessing the computer that's open to the entire network" feature, not any significant usage of SMB/CIFS that even a basic NAS would implement.

Centralised storage relies on authentication. Authentication relies on Active Directory/LDAP/Kerberos integration. In the case of Samba, those things aren't "standard" LDAP/Kerberos, I believe (correct me if I'm wrong, but didn't Samba have to ship with its own implementations? That may have changed now, but the days of things like LikeWise Open etc. it was necessary to install completely different and separate versions to the LDAP/Kerberos software that came as standard on most distros).

Samba touts itself as:

"the standard Windows interoperability suite of programs for Linux and Unix.... secure, stable and fast file and print services for all clients using the SMB/CIFS protocol... an important component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments. It can function both as a domain controller or as a regular domain member."

You're talking about unauthenticated (or trivially authenticated, i.e. local computer logins) access to a share... but the software is claiming to offer an interoperability suite for Linux/Unix machines, as well as AD integration and domain controllership.

Additionally, although such SMB/CIFS isn't trivial to implement, it's literally just a tiny and necessary first step to any kind of network integration. It's literally not even enough to log into a network shared drive, for instance, rather than a home shared drive. Samba have had "co-operation" from Microsoft enforced by an EU court, not to mention EU funding, and DECADES of developer time put behind them. And they fulfill one tiny component.

Sure, the software gets used a lot for that (basically the equivalent of "smbclient" functionality, as was), but Samba is claiming to be, aiming to be, and has for a long time wanted to be, a lot more than a network filesystem interface. And yet it still can turn into a nightmare to, say, get to \\domain.com\netlogon ... AD auth, DFS, internationalisation, ACLs, etc. all kick in on even the most bare basics of "trying to get your Unix machines to talk to Windows machines".

There are no domain admin tools. Not even an "AD Users & Computers" equivalent. We're told to "just use the Windows tools" (I'd actually pay more for a Windows AD management tool set that worked on non-Windows computers, than I would for a software that let me set up a Windows AD running on a non-Windows computer). So you can't run a Windows-style AD using Samba alone, without having to manage users extremely manually.

The fact is, 27 years after initial release, 15 years after "Active Directory Support" was listed, it's still not there for anything other than a bog-standard, simple-passworded share - something trivially achievable with TFTP, let alone NFS or similar alternate technologies. But we have "Apple Time Machine Support" and Btrfs-compression!

I have created, managed, and decomissioned entire school networks reliant on Samba and projects like Likewise Open (as was, it keeps changing names) - one school we had netbooks that authenticated against the AD via PAM. They "work". If you're prepared to accept a whole bunch of caveats, severely limited functionality and manageability.

The reason is that it's incredibly hard to follow the protocol. Even just keeping the barest of "I'd like to access \\server\folder\filename" functionality working, up-to-date and secure takes up a vast chunk of developer time once it involved integrating with a fast-moving proprietary product that has to be reverse-engineered.

P.S. There's only one command in Window Powershell that I use with any regularity. The modern equivalent of ntdsutil to promote/demote DCs (I never remember the commands and have to Google them each time, that's how often I use them). Given that I administer Windows networks for a living for the last 20 years, using that as an attack on Windows is really quite weak.

Fact is, I can create and permission a user in Windows AD in seconds, including fine-tuned delegation of AD editing rights to the user, and all kinds of settings, group membership, inheritance, etc. It's just not possible in "Samba"... certainly not without an entire swathe of commands typed in on the console - and in a Samba-only environment, I'm not sure it's possible at all (you need AD Users & Computers running from a Windows machine?).

What you have is the equivalent of saying "We have Microsoft Office" when what you really have is a command-line tool like antiword that parses a .docx file for text. Sure, that may be "all most people need" but it's certainly not what's been advertised for the last 15-27 years.

Lee D Silver badge

Re: The only reason "everyone" runs Outlook is because "everyone" uses Exchange.

"OpenChange is a dormant open source project"

"OpenChange is a great proof of concept, but it is not ready for production use."

Nobody's come close to an open-source Exchange compatible replacement, same way that's it's taken DECADES to come up with an open-source AD compatible replacement (and that isn't really something I'd run someone else's business on... maybe my own, knowing what it is, but not something I'd implement for someone else).

This stuff is hard. It tooks decades to understand and code up things to read video streams from MSN Messenger, etc. and none of them were ever any good.

Just because it exists, doesn't mean you can make a compatible open-source equivalent. Even LibreOffice "isn't Office" to most power-users. Sure, it's suffices for 99% of people, but for the 1% that want to use it professionally, they can't.

You seriously overestimate the resources and talent available to code on open-source replacements for proprietary commercial software. Look at WINE, LibreOffice and Samba. It's the three biggest projects that do so, they aren't "there", even if they are usable, and they have more developers and money than almost anything else (you may find web browsers have more money available to them).

That's why most places don't bother and instead end up with an OS "equivalent" (e.g. other directory protocols, etc.) that they have control over, avoid patents for, don't have stupid legacies to tiptoe around, and they can afford to build and maintain.

Um, I'm not that Gary, American man tells Ryanair after being sent other Gary's flight itinerary

Lee D Silver badge

Same problem.

There's a guy with my name with a Littlewoods Ireland account who obviously never pays his bill. I tried a few times to correct them, now I just send them to spam. Had the same with RyanAir and Paypal and a couple of others.

I have in the past written a nice letter to another guy (also in Ireland, my surname is apparently quite common there but I've never been there myself) who signed up for a Paypal account, added a credit card and then got a friend to send him loads of money. I could quite easily have confirmed the account, changed the passwords and spent such money and there'd be little they could do about it (for a start, they wouldn't be able to get back into the account!).

But I'm a nice guy. I wrote a nice letter (all I had that I was sure of was a postal address), got a nice one back, the account got closed a few days later.

But it happens regularly. Plenty of people sign up for things thinking that my email is their email. I don't even bother to chase it now. I just bin them. They're nothing to do with me, and I'm not going to go logging into people's accounts playing pranks in case it gets classed as fraud by misrepresentation.

The funny bit is that not once have I ever used the real underlying account for anything - everything I do is forwarded from my own domain name to a mailbox that just acts as a convenient collection point. And I use a different alias for every company that I deal with.

As such, just binning anything from Littlewoods or RyanAir or similar that arrives in my account without having been forwarded from my domain name is very simple.

Millennium Buggery: When things that shouldn't be shut down, shut down

Lee D Silver badge

I just love it when you have something like this, and they won't let you have scheduled downtime for such actions.

Though not in the £50k/hour area, I had a similar situation before Christmas... updates had been postponed to an internal system because "we can't take the system down". Updates postponed a second time because "X needs to do Y so you can't update yet", and so on.

There are only a few windows in the year where I can update without everyone whining, and every time "someone" different had to do "something" important and it was always something that I, or they, felt couldn't be left half-done when updates were applied (which included database schema updates of the databases they were using, etc.).

So it got to December. Where I had a three week holiday booked. And so I stated that the update NEEDS to happen. There was much wailing and gnashing of teeth but I got it scheduled in two days before I finished (I'm not an idiot! Never do updates on your last day in!). I got agreement from everyone, a bit of "Oh alright then", but it got scheduled in, and notified, and notified, and notified. And then a day before, someone kicked up a fuss because they realised that there was yet another "something" that couldn't ever possibly be done completely before or wait until after the updates. Of course, that's in their opinion.

Speeding up their schedule to get it done before the updates "wasn't an option" (despite the fact that they'd had MONTHS to do it in). Putting it off until after the updates "wasn't an option". Doing it while the updates were happening wasn't physically possible and certainly wasn't sensible.

I didn't even attend the meeting. I just sent an email saying "It's been postponed multiple times, while it wasn't critical, and now it's critical. I will be updating". There was uproar. Not least because someone then went and told *some* of the users that because of the updates the system would be down on the wrong day anyway (I suspected an attempt at sabotaging the update from happening). And obviously the other users had all been told that it would be down on the scheduled day.

It was then that the emails started getting personal, wondering why I was allowed to have holiday (because I'm human?!), why they were being taken over Christmas (because most of Christmas is compulsory holiday anyway, and there were never originally any updates scheduled for Christmas, and I wouldn't schedule updates over Christmas normally anyway? Literally triple/quadruple-postponements are the problem, not that your IT guy isn't working over Christmas when you do no business anyway), wondering why the works weren't scheduled in (they were), wondering why we had to schedule in downtime for updates at all (which would be a fair point, if it wasn't for the fact that the software in question can't be running on any client when you apply updates to the server, and all clients have to have the same version number as the database they use), wondering why we couldn't pick a "more appropriate time" (I did! Several times! And people not doing their job postponed it again each time!), wondering why "someone else" couldn't do the updates (erm... because it involved both Finance and HR data, so nobody else should be privy to that information, plus nobody else on staff is qualified to do so - or even close! - plus you don't listen to the guy who CAN do the updates, so you can literally go find a new IT guy if you let someone else touch that system / access / password).

Turned out... we did the updates... as originally scheduled... nobody was affected... I was there a few days to check it all went okay... everything was fine... nobody (not even the users) shouted. A lot of fuss over nothing.

And now I can look forward to a discussion about "Scheduling all future updates". Which I do anyway. But now it will always mean "making sure my original schedule lets me throw people off the system", not just polite announcements. Because my schedule takes into account far more than their last-minute "I haven't been doing my job" reasoning ever does. So I checked the calendar for 2019 for when the system can go down. It looks like I have maybe a day in a week in March. And a few windows in July. Let's hope that a) no critical update is required, say for the new financial year or Brexit, b) not one user "has to" need the system in those windows, c) when I schedule it, people don't suddenly remember that ultra-urgent thing that they've put off all year must be done in that day because they're too lazy to do it before then.

Putting off the updates for every whim basically now means that you don't get the option to put off the updates. Ever.

To say that making a fuss over such a non-event was counter-productive isn't the half of it.

Your mates vape. Your boss quit smoking. You promised to quit in 2019. But how will Big Tobacco give it up?

Lee D Silver badge

Re: Look out

An early death costs huge in terms of taxes returned over your lifetime, not to mention effect on any children, etc.

The insurers may want you to die early, but the NHS will still have to fund you for treatment, and you won't be paying back student loans, debts, mortgages, taxes that you've been given (e.g. to fund your education, etc.).

"What an insurer wants" is vastly malaligned to "what's good for society".

Lee D Silver badge

Re: Look out

Imagine for a moment.

Someone makes a biscuit. It's fat-free, sugar-free, non-damaging.

People start to buy it and eat it a lot.

Now you discover that the people eating it LITERALLY refuse to go without the biscuit. A huge portion of the population are buying the biscuits and refusing to stop ever doing so. When they try, they have to take biscuit supplements that have the addiction of the biscuit without having to pay for the biscuit itself. The government starts funding these supplements because the problem of people spending their pay packet on the biscuits is all-too-common, and despite a tax of many times the actual value of the product, people are still buying the biscuits.

People get cranky when you suggest they give up the biscuits. They can't go more than a few days without the biscuits. Over Christmas they all vow to give up the biscuits but by new year they are all back on them.

The problem with this stuff isn't the health effects (though they are horrendous, devastating, expensive, and both self-inflicted and inflicted on others against their will). It's the addiction.

Caffeine addiction isn't anywhere near as bad. Nor is sugar addiction (sugar tax has ONLY just been considered, and that's because of obesity and availability, not because people spend most of their pay packets on sugar).

Nicotine literally turns you into a mindless child who can't do without a substance that they would never have been exposed to in natural life. I regularly make bets with friends or co-workers who are smokers (or vapers) who claim they can "give it up any time". The longest one lasted a handful of weeks and was so cranky in between that I had to take them to one side and tell them to do something about it - they had an arm-ful of nicotine patches. The shortest one literally latest 24 hours, and lied about it, until I demonstrated that not only had they smoked but that they'd done it directly in my field of vision.

Nicotine turns grown-adults into addicted children about something which has zero health benefits, nutrition or anything else for them - it doesn't even provide a "high"... research shows that "nicotine highs" are really just a return to normal levels of hormones because nicotine withdrawal makes you hormonally substandard.

That smokers are moving to vapes is a start to keeping them alive, and honestly their health is the last thing on my mind. It doesn't stop the expense, or the "skills" of rolling / coils / whatever which they are so proud of. I've witnessed an hour-long conversation over wattage and coils and batteries between two people who previously wouldn't have known a AA from a C cell.

It's also not "friendly" as a habit to others. Your stuff STILL stinks. Ever walked past a Lush? That's what you smell like, constantly. Sure, better than stinking of smoke (my ex could smell if I'd been in my parent's house that day, even without them ever lighting up when I was there), but still obnoxious. I once was in a beer garden eating a meal with 20-30 other people and one guy on a distant table had a vape so obnoxious and sickly everyone complained, moved tables and stopped ordering food because it tainted everything. At one point, a guy LITERALLY disappeared in the cloud of vape in the outside beer garden - walking through it just as the guy exhaled - and he couldn't be seen in the ensuing cloud.

Vaping is still a bad habit, and still can be obnoxious to others. From the smoker's view, it's still a waste of money, addictive, causes mood swings, and is unproven (sorry but inhaling some shite that's going into your lungs, is viscous enough to produce a visible cloud, congeal into a fluid, and that may have been bought from China and mixed with lead paint for all you know is never going to be healthy for you!). Those are your concerns as a smoker, though. From a society part of view, you're still substance-addicted with extreme difficulty to quit, to an expensive habit, that's unnecessary and doesn't actually do anything positive for you above "just not smoking anything".

I didn't think I'd ever say it, but I have more respect for cannabis smokers than vapers. At least they are getting something out of it that's not available elsewhere - and rarely do it in your face in a public restaurant.

Racing at the speed of light, Sage superhero bursts through the door...

Lee D Silver badge

Re: Deeply concerned about staff downtime

Much more concerned that there's no central update mechanism, GPO or scripting to run the client update, or even RD so you do the entire thing from one place.

RUNNING around is a sure sign that you don't understand IT and are about to break something much more important than a bunch of shirt buttons.

Hundreds of machines, thousands of users, and I've run more because "some guy just tried to plug in an unauthorised USB stick on the other end of the site" than anything else.... ever.

You better watch out, you better not cry. Better not pout, I'm telling you why: SQLite vuln fixes are coming to town

Lee D Silver badge

Re: Not sure if I read this right...

You'd be amazed at the places that use SQLite.

I've seen it everywhere from access control products to website to educational software.

It's usually bulletproof. Because even when you allow people to throw arbitrarily corrupted databases and any SQL query you like at it, if you properly secure it, it's almost invincible.

As stated, even this flaw isn't possible if someone bothers to read https://sqlite.org/security.html and follow its advice.

The question is not "OH MY GOD WE ALLOW PEOPLE TO EXECUTE SQL IN THE BROWSER!" - it's "what security model is it executing that in?". Fact is that running SQL inside the browser is a very popular, useful and desirable feature (just because you see the potential security problems with them , it doesn't mean that the FEATURE to be able to do things isn't desirable).

And SQLite is pretty rock-solid. That's the first ever serious flaw I've ever seen in SQLite ever mentioned. Look at their security page above... do they sound like they are messing around and just slapping things together?

No software is fully bulletproof. But SQLite comes damn close. And is incredibly useful. Why operating systems don't offer centralised database functionality as part of the OS, I never understood. Everything from users to configuration files to program installation manifests should really be a database, meaning something DESIGNED to be query and modified like a database. MSIs and things do contain databases but not in the same format. A generic, OS-wide, database feature (even down to filesystems, remember the WinFS promises?) is something sorely lacking.

Bookmarks in a browser already use such a database (Opera's bookmarks were a plain SQLite file for what? Nearly the last 20 years? Not much software has that kind of testing behind it). You may disagree with the concept of WebSQL but it's not a Chrome-exclusive feature, and if you're implementing it, I'd damn well rather they used SQLite than MySQL or (ARGH!) MS SQL!

Note: I've banged on the SQLite backends with some programs I've written myself. A school full of kids sitting tests in a custom bit of software, each client literally spin-locking a central network SQLite database to add and query their results on the fly. It worked like a damn dream and was rock-solid. I'd rather ditch the entire rest of Chrome and keep SQLite than the alternative, any day.

If most punters are unlikely to pay more for 5G, why all the rush?

Lee D Silver badge

Re: Well, if they can secure it, then it's okay, I guess

"More secure"

Than a handset?

Than a VPN over any public broadcast mechanism?

I doubt it.

If you worry about security, you don't care about the medium - you care about the measures necessary to secure it.

5G, in that regard, like all its predecessors would always be an untrusted medium for data, and most definitely for voice. It can *be* secured. You just VPN/SIP over it to a trusted endpoint from a trusted handset. Same as anything else.

Selling 5G on "security" is the worst idea possible. Nobody who cares would use it, nobody who uses it would care.

UK spam-texting tax consultancy slapped with £200k fine

Lee D Silver badge

Re: So Tax Returned Limited

I think they introduced a law very recently which combats exactly that.

Specifically the ICO, I think, asked for it so they can chase directors and assign personal liability if the company has been declared bankrupt and avoided the fines they've imposed.

Qualcomm all ye faithful: 5G's soon triumphant... like 2020 soon. Really

Lee D Silver badge

5G may be overhyped. But it's an inevitable requirement for the future.

It's only sensible to assume that, in the next 10-15 years, we will:

- Have more cellular devices online.

- Have more cellular devices per person/household (e.g. smartphones, smartwatches, GPS trackers, cars, smart meters, etc. etc. etc.)

- Those cellular devices will thus be more densely packed and need to share bandwidth.

- Some of those cellular devices will require greater speeds than are available today. Whether that's people streaming 4K movies, playing VR, website HTML sizes increasing, more live-streaming of video, or whatever, it's a reasonable assumption that they will use - on average - more data than today.

As such, 5G is necessary. For nothing else than it's capability to support more devices in the same areas using more frequency bands, with the total speed available to share out from each mast having to be more than at the moment.

It's not that people are complaining - people are satisfied. But you only need one "fad" (think "Pokemon Go / Tamagotchi / etc. but with something cellular-based") and if you have failed to prepare, the whole network will collapse for even today's use. And naturally there will be more things online tomorrow than today. Fail to prepare for that, and everyone's current capacity drops in proportion to the number of new devices. How long before you're buying a "Netflix box" or Amazon Fire Stick that directly streams over 4/5G and doesn't need to connect to your wifi at all? Especially with eSim technology, they could easily do that, and thus bypass issues with other cellular providers or their backhaul providers.

It's an inevitable and necessary upgrade. Hence, why people would hype it up, I can't understand.

I live my life via a 4G Wifi box and a smartphone. I literally do not have a landline connection (despite there being one in the property, it would cost more to activate and use, to provide a slower connection than I already get over 4G). If I can live your entire digital life without ADSL/VDSL/Cable today, then 4G is already viable to do this on. 5G just means that EVERYONE would be able to do so. I game, I stream, I have a SIP phone, etc. etc. Nobody even notices, you just join my wifi from a little box and you're "online". They even question the need for the box because I could just "hotspot" from my phone, they say. They know that... they use it themselves.

5G could easily make your "Internet" connection travel with you (so you can check your plane tickets from work, for instance, without filters getting in the way), and make landlines obsolete. It's far from a useless leap in technology (unlike, say, 4K/8K/HDR/etc. which will still sell millions of devices alone).

Literally, my only hope is that, with the new speeds and high-capacity, data prices will drop. I can get 40Gb for £22 a month. I actually use 90Gb a month on that package (it doesn't include certain streaming services). I really could easily burn through 400Gb in a month if I had the money to do so. There's no technical reason in the way of me doing so at all, even in the middle of a large city inside the M25, sharing the "connection" capacity with all the neighbours and anyone who walks past with a smartphone.

But if 5G gives me bigger data allowances, greater speed, and a more resilient connection using more frequencies, I'll buy into it. Whether that's a 5G SIM in my existing 4G box, or whether that's buying a special 5G Wifi box with eSIM, I know that I'd end up getting it.

Lee D Silver badge

Re: A warning, really.

Same old story:

When I can buy it, in a shop, at a decent price, with a reasonable chance of working. Then, and only then, do I bother to look at whether it's something that I want or need.

Until then it doesn't matter if there's one chip or a million that does the job, one mast or a million, one handset or a million.

Until I can buy it as consumer hardware, through ordinary channels, and it's advertised to me as an available product (i.e. 5G will work on my usual telecoms company, etc.) then it literally doesn't matter.

Same as every battery advance, "electric car", stupendous CPU, amazing new tech, or whatever else.

For fax sake: NHS to be banned from buying archaic copy-flingers

Lee D Silver badge

In the UK both are.

You just may have to retain the original in order to prove its origin via headers etc.

(Hint: There's a reason that Exchange has a "legal retention" functionality. If they weren't binding, they wouldn't be able to form evidence of any kind).

There was a time when fax was accepted and email not, but when I moved house last year, I signed a lease agreement electronically, no problems. I pull my suppliers up on their failures via email records, no problems.

A country that doesn't have email as a binding contract now (provided, as with any medium, that the content is actually received and stored properly... anyone could fake a fax from any number the same way anyone could fake a fax from any email address) is probably a bit backwards.

If you'd accept it in court as evidence (and everything from Facebook posts to emails have done that in all kinds of jurisdictions), then it's fine.

With things like Exchange and the proper retention / audit options, it would also be almost impossible to claim you hadn't received it, too. Hell, a president is just about to be put behind bars and that'll come down to emails at some point, you can guarantee.

The question of "legal service" by email is slightly different, and that has been resolved (positively) for a long time.

Tech support discovers users who buy the 'sh*ttest PCs known to Man' struggle with basics

Lee D Silver badge

Re: The right attitude

Agreed - most of the time.

If you say "press the button on the corner of the screen" to someone that grew up without computers, then they are going to look for a physical button on the display itself, not a virtual "button" in the corner of a non-tactile lit display.

But users can also be absolute morons too. I have more-than-one user for whom it has taken four years to grasp that they can use the scroll wheel rather than having to hunt down the window edge, find the half-greyed-out miniature and ever-changing box, click and hold and then drag down the screen, instantly jerking 50 pages at a time and spending an age trying to get it back to the page they were looking it.

And STILL, it's not their first action when they need to scroll, they don't get that they have to be in the right window (if you have ten scrollbars, how's it going to know what scrollbar you're scrolling?) and so when you have a scrollbar in a textbox on a webpage, the farce continues no matter what method they use.

Don't get me wrong, they're lovely people, just not the most computer-literate. But I wouldn't start by assuming they just *know* how a computer works.

My staff induction process consists of a first series of questions which are "What level would you like me to pitch this training at? You okay on computers? Happy for me to go at Warp Nine and you stop me if you don't understand, or you want me to lead you through it?"

Total Inability To Support User Phones: O2 fries, burning data for 32 million Brits

Lee D Silver badge

Re: Not just O2

Station guard?

No it's more akin to complaining to the ticket office, and then being told "Not my fault, mate, we hire the ticket machine from Job Bloggs Ltd. I'm working for <insert rail company here>. Not my problem."

If you bought a product or service from O2, your only legal, financial and customer-service recourse is to them, or an ombusdman of their industry. I don't care WHY they're having problems (whether that's that they haven't paid their bills, that their suppliers are useless, that their contractors didn't turn or, or that heavy snowfall in the Outer Hebrides stopped the consultant coming out today). That's up to their business processes to handle.

My only interaction with them would be via the service they are contracted to provide, and are failing to do so.

In the same way that no court would entertain someone saying "Well, my contractors didn't deliver the goods, so I couldn't give them to the customer who sued me" (they'd just tell them that's their issue, and irrelevant to the case, they are still bound by the contract whoever their goods come from), customer service, returns policies, etc. work the same. They would actually get sued by the customer, and then they would have to sue the supplier to get their money back if that was the case.

You only have to deal with the people you bought the good or service from. You NEVER have to deal with any one of their contractors or manufacturers. Otherwise quite literally you'd be given the run-around between 50 different companies who all do one bit of the work, in order to fob you off as long as possible.

Bought phone from shop and it doesn't work? Take it back to the shop. It's up to them to argue with Samsung/Apple.

Bought phone service from O2 and it doesn't work? You shout at O2. They can blame anyone they like, it's their responsibility, choice of contractor and problem to resolve, not mine.

Otherwise, you'll literally end up being told "Yeah, well, your local mast is run by Bloggs Masts Ltd, who we paid to run it. We don't care. Speak to them."

Lee D Silver badge

Re: Not just O2

"The Down Detector page for O2 is full of outraged people having a go at O2, but in reality there's nothing O2 can do except wait for it to be fixed."

They could switch to their backup system.

Oh... you mean "nothing they WANT to pay to have in place for just such an occurrence that'll drastically affect their ability to operate if it ever happens"?

To be honest, if I were coding things, I'd make sure that when the accounting etc. database was down, that data was still kept active anyway (it's run from leased lines on the masts, not from some central location) - yeah, you might get people use data unaccounted for while you're having issues but an unannounced "we've not counted some of your data because of a problem on our end" is far better than "Oops... everything's down for everyone and there's 'nothing' we could have done about it".

This is a company with millions of customers that doesn't want to spend on a separate, isolated, failover database that doesn't get software-updated in tandem with their primary database. I have zero sympathy.

Gimme my data, or stop running a telecommunications firm. Either way, stop running it like some mom-'n'-pop outfit without any way to fail back when the primary database falls over.

Incoming! Microsoft unleashes more fixes for Windows 10 October 2018 Update

Lee D Silver badge

Yeah, tell me when they at least bother to put out an update without any "known issues" (documented or not).

Then I might look at testing it.

Until then, my decision to stay as far off Windows 10 as possible seems to have been worthwhile. I might have to deploy it next year. If so, then this issue might (finally) be fixed by then. But likely I'll still have to do everything in my power to stop updates deploying without consent.

SEAL up your data just like Microsoft: Redmond open-sources 'simple' homomorphic encryption blueprints

Lee D Silver badge

As a mathematician, this kind of thing interests me greatly.

But in terms of practical use it's very limited.

For instance, though it's *possible* to query an encrypted database... "It must be noted that... the authors have... used simple and non secure homomorphic scheme and still it takes a huge toll on the performance. For e.g. a 16 bit multiplication takes approximately 24 minutes."

This seems inherently impractical and it doesn't look like something we can parallelise in order to speed it up, or anything that any sufficiently large database (to be useful anyway) would be able to utilise in a general fashion for everyday queries.

Sure, you could farm off the database and all such computation to the cloud (that is after all the point - you ask an untrusted third party to do work on a database that they hold but cannot ever determine results or data from), but I can't see it being practical any time soon.

If a 16-bit multiplication takes 24 minutes, imagine how long any kind of complex SELECT statement is going to take, let alone whole-database UPDATE WHERE operations, etc.

Sysadmin’s plan to manage system config changes backfires spectacularly

Lee D Silver badge

Re: Automation does have its place

@Anon The guy in question was a highly-paid specialist IT consultant brought in to do disaster recovery on their systems... he had a year, a clean slate, virtually unlimited funds, new kit (everything from network switches to PCs to tablets to servers from the ground up), all the time in the world, and absolute control of anything he wanted.

He was brought in as "the expert" to set the tone for the system. I was hired later as the guy to "keep it ticking over" day to day. It took 6 months to turn that situation on its head.

Lee D Silver badge

Re: Automation does have its place

The "admin who does things like it was 30 years ago" is surprisingly common.

When I started here, there was no computer imaging process - each one was manually cloned from one of its nearby machines and then manually re-configured. There were duplicate SIDs and unlicensed software everywhere. There was no user-management - each one was set up manually each time, so half of them were missing something or other. And home folders were manually made and permissioned for each user on creation*. Everything was done with copy-paste batch scripts that he didn't understand, which everyone ran on every login, and which literally carved out exceptions (e.g. IF %username% = "fbloggs", to map drives, printers, etc.). The console windows were still visible minutes after logging on as they churned through it all every time.

AD was literally a shock to the guy beyond "create new user". And he was being paid by the hour (not the reason for his lack of process, at least not directly, but he literally didn't have the knowledge).

Within a week, and without spending a penny more than had already been spent, I introduced F12 PXE boot to WDS (which meant imaging took 20 minutes from bare-machine to domain-ready client with the base software in the worst case), group policy (which meant that user's printers, drive maps and settings, and machine's specific software and settings were installed after a couple of reboots of any fresh machine, controlled centrally and changed and cloned easily), and the MSKB article which shows you how to permission the root profile folders applied so that users just logging in would create their own profile folders if they didn't already have one.

Literally the guy was stuck on using things that had "worked" for him on Windows 2000 and never bothered to update knowledge in all that time. That you could deploy a printer from a GPO was new knowledge. That you could image machines from a clean template. That you could centrally control updates. That you could map drives. That you could have a proper tree of users and groups (rather than just leaving everything in the default users and groups folders) and have "Users" settings apply to everyone, while "Users\Office" people also got office settings, that you could modify policies on the domain other than "Default Domain Policy" (literally EVERYTHING was in there). That you could target a policy at users, groups, or even things like Windows versions or machine types.

It took me a few weeks to go from utter unmanaged chaos to "F12, new image, reboot, right-click in AD, clone an existing user (even disabled) of the same type, set password, bang... everything comes down".

It's alright, it's not like we were a school or anything, with 500+ pupils, ~100 staff, all with different settings and permissions, ~100 leaving and ~100 joining users every year, and all needing central control for things like web filters (enforced proxies), etc.

Literally, his "web proxy setting" was a Regedit script for Mozilla Firefox run from a login batch file. Press Ctrl-C and it never got applied. Unapply it after login and it bypassed everything. And, no, not even a "catch-all" transparent filter.... literally relying on that batch file to be all your security.

I honestly never asked what the rest of the junk in his batch files was and just started replacing them from day one. There were things in there playing with Word/Office, activation, antivirus warning disabling, ActiveX permissions, desktop icons (copied from the central server every logon), all kinds of stuff. I just switched them off for a few test machines and then resolved the issues that occurred in a more proper manner.

(*To this day, years later, I'm still finding folders that don't have inheritable permissions and/or have things like "Administrators" - the group not the user - as the owner. There were also a ton of legacy folders, including user profiles, that literally the user could access but administrators couldn't. The only way to fix is to take ownership of all files with recursion, then repermission with recursion, then put the file owner back as it should have been).

P.S. He didn't last long.

Stats model: UK small biz overpays for stealth mobile plans

Lee D Silver badge

Re: Pah - what's the point ?

If someone has to buy your business, it's obvious that:

- They know their original price was just there to scam you and until you complained, nothing happened. They don't care whether you get a good deal, they just want your money.

- They can't compete against the others in a fair comparison.

- Your company doesn't care about what they actually use, preferring to lay their business at the hands of a fancy dinner for the CEO.

All of the above are only ever symptoms of the same kinds of "who-cares" management.

If you're signing up for multiple years on the above basis, it's game over, nobody is ever going to change that in the contract term and then the "renewal" can be to ANYTHING else and still win praise ("It will cost us more, but that's because we're not locked in any more", "I found a better deal for us", "I negotiated with our usual supplier and got a discount", etc. etc.).

I've learned to just ignore it. These people have elevated themselves to a position where their failure doesn't matter, even if it appears as a huge percentage of the costs on the balance sheets. They could literally spend company money on moving manure around in a box and nobody would care, because they "make enough money" even with that. Totally ignoring that they could make *more* money if they didn't.

Every sufficiently large organisation ends up going this way, and there's pretty much nothing you can do about it except start your own company and cut that stuff out yourself.

Personally, every single clawing salesman I ever see is just a warning sign - if you want my business that badly, there's something wrong. The more you crawl and discount, the more you're just trying to play the human rather than the numbers, and the lower those numbers could have always been ALL ALONG.

I've actually got into arguments with salesmen about such things and told them I wouldn't do business with them ever again. They can't understand it, and all they care about is their commission.

Personally, my workplace has several dozen mobile phones with a provider who just resell Vodafone contracts. We are paying way over the odds for pathetic amounts of data, text, minutes, etc. and nobody cares. We don't have any special requirements, we have a handful of "SIM-only" things for GSM equipment, and we're paying £30+ a month for 48-month contracts with only 100Mb of data in some instances. We also pay through-the-nose for a "device fund" which we can use to get them to send us a new phone. They obviously scrape the interest off those as we pay all the time but only rarely request a new phone. They never have the phones we want. New phones are ALWAYS locked to their network. They take ages to deliver. They send a SIM separately days later (presumably direct from Vodafone in a way we could do ourselves!). The SIM never fits the handset. We phone up and then they send us a multi-SIM. Then we have to wait for that to arrive. Then we have to phone them back up and give them the SIM, IMEI etc. and they lock them all together. And they NEVER have records and I have to faff and keep track of SIMs, numbers, IMEI's etc. for them.

And yet, in my personal life, I deploy exactly the same kinds of devices, either on a £5 a month minimum rolling payment I can stop at any time, or a £25 one-off payment and pennies per text (for the GSM ones, guaranteed not to cut to you off just because you don't use them much). Unlocked handsets. SIMs that I don't have to tally at all. I could literally slice the organisation's monthly mobile phone bills by at least 5/6ths if I was allowed to, plus spend only half what they do on devices, and there'd be no difference in service (only positive), and I'd even move the numbers over if it was necessary. For that you'd get TEN TIMES more data, probably free phone calls, etc. and none of the lock-in problems.

But they continue to use them for reasons I can't fathom.

OneDrive is broken: Microsoft's cloudy storage drops from the sky for EU users

Lee D Silver badge

Re: Ah the Cloud

"Where does rain come from?"

Nice try...

***A*** cloud, or clouds.

Not ***THE*** cloud. Unless you live on Planet Cloud which just has a single blanket coverage.

Lee D Silver badge

Office 352 - 360 depending on where you live, I think.

Put it this way... it ain't five-nines:

SLA level of 99.999 % uptime/availability gives the following periods of potential downtime/unavailability:

Daily: 0.9s

Weekly: 6.0s

Monthly: 26.3s

Yearly: 5m 15.6s

It's closer to 2-nines or less:

SLA level of 99 % uptime/availability gives the following periods of potential downtime/unavailability:

Daily: 14m 24.0s

Weekly: 1h 40m 48.0s

Monthly: 7h 18m 17.5s

Yearly: 3d 15h 39m 29.5s

Montezuma's Revenge can finally be laid to rest as Uber AI researchers crack the classic game

Lee D Silver badge

I'm still not seeing AI.

As in... at all.

It's basically given a simplified graph (these keys in these rooms in this order) and path-finds down the tree to work out how to get there.

It's human-written heuristics guiding a very-limited-scope "AI" which wanders aimlessly (nothing wrong with that... A* is basically a random walk at times) and then scores itself based on a human heuristic for those "cells".

It's not AI, learning, or anything close to that at all. If this is really "best of breed" in terms of AI, then it shows what I've known all along - we don't have AI and won't have for a long time to come.

Microsoft suffers the Tuesday shakes as Exchange Online continues to be wobbly for UK users

Lee D Silver badge

Re: Is Daz in sales ?

"I put all my eggs in someone else's basket and have no idea where the basket is or what's happened to my eggs but I'm assured that I can get them back and look at them any time I ask to..."

Yeah... poor Daz, my backside.

At the very least you need it as an EXTENSION on in-house/on-prem, but not a replacement. That's just stupid.

Fortunately, the exact thing that Daz is suggesting (outsource the IT department to Microsoft) is likely the exact thing that will happen too. Not only is it "how to put all your eggs in someone else's basket", it's also "how to put myself out of a job even if everything worked 100% as I expected".

Openreach names 81 lucky locations to be plugged into its super-zippy Gfast pipe

Lee D Silver badge

Re: "Up to"

And yet, as a mathematician, I know that what you're suggesting is basically just a charge per gigabyte.

And everyone would moan like hell about that.

If you pay, say, £30 a month, you might get 300Mbps / 300Gb for that. But you're unable to use it all because of the speed, so they charge you proportionally... then that basically means you're paying £10 a month for 100Mbps / 100Gb (because you couldn't have used all the data in the time you're given, so the speed and bandwidth are basically equivalent) and so on.

What speed you did it at is basically irrespective if you want to allow them to let you pay proportionally.

But sell someone a Internet connection on the basis of "we'll provide a connection, we won't tell you what speed it could reach, but you'll pay 10p per gigabyte" and nobody would touch you.

Sure, it might encourage them to up speeds as much as possible, but it wouldn't be long before people realised that actually they don't want that at all and they'd rather the kids couldn't run up a thousand pound bill because of them leaving Bittorrent running.

Much like happened with cellphone roaming charges, for instance. Which are... pay per Mb. Same thing, different scale.

Sacked NCC Group grad trainee emailed 300 coworkers about Kali Linux VM 'playing up'

Lee D Silver badge

Re: Would have expected this from a luser.

You'd think an infosec consultant would be able to install something to, say, monitor login accesses to her computer, or at the very least record footage on the webcam or something.

Because it would be really hard to go to court when your own evidence basically says "Oops, that happened when I pressed Ctrl-Alt-Delete to logoff not knowing that usually means 'reboot' in Linux", or "Nobody but me ever went near the machine".

A rumble in Amazon's jungle: AWS now rents out homegrown 64-bit Arm server processors

Lee D Silver badge

I have 10+ ARM powered devices in my house, and I don't even try to buy them.

Two smartphones (not iPhone).

One GP2X (I used to develop for it).

One tablet.

One RPi.

One TomTom (defunct)

CCTV NVR

...

With the exception of the GP2X, these are hardly far from consumer items. I deployed 50 Intel Atoms a few years ago - they worked fine for office tasks, no problem at all. A lot of people who have Intel Atom don't even know they do.

P.S. Intel Atoms suck for low-power usage. I know of precisely one "RPi-competitor" board that they brought out to try to capture that bit of the market, and it's very unpopular. Even Mini/Nano-ITX with laptop chips did a better job 10 years ago.

Power = heat. Heat = cooling. Cooling = expensive. A rack full of ARM chips in the proper layout will reduce costs and, so long as it runs PHP and Wordpress, that's a vast, vast potential saving right that just for a bog-standard hosting provider. And, yes, you can get Intel Atom dedicated servers. Check out OVH/Kimsufi (same people, first/second-hand kit - it's second-hand because someone used them for years already).

Maybe not your use-case, but I'd happily pay for an ARM-powered PC with PCIe, SATA, etc. connectivity and Linux.

Not to mention things like Spectre and Meltdown. I think you miss that some of the most powerful chips that people use today are from ARM. Most people never max out their CPUs and when they do, Intel stuff just dials down to ridiculous speeds nowadays (Intel are still selling machines which are clocked at 1GHz as "4GHZ" machines... they can maintain 4GHz for only seconds under normal cooling arrangements). But their phones and other gadgets are doing tons in software and ramp up past those speeds just for playing with silly graphics filters.

While you were sleeping, ARM owns the mobile phone market, tablet market, is already inside the Chromebook / mini-book market, the games console market, has Microsoft making Windows for it, basically has the IoT market to itself, and is now edging into the server market quite happily.

Lee D Silver badge

The world is slowly turning ARM and I think it's about time too.

ARM is powering all kinds of things and even 10 years ago we had handheld games machines with ARM running Linux and pumping out 3D graphics at Ghz while running off a pair of AA's (e.g. Gamepark Holdings GP2X but also things like the Nintendo DS do the same without the Linux!).

ARM is more than a capable architecture of anything you want to do. The only restrictions are like the restrictions of old... if you absolutely MUST have x86/64 architecture because your software is only available for it, then you cooked your own goose long ago. But even Office is available for Android etc. nowadays.

I would happily run ARM everywhere. The only problem is the "second class citizen" factor - Windows on ARM is nothing like Windows on x86/64. If they were equivalent, it would be a very different board game.

Saying that, I've been tinkering with RPi's a lot lately (I was an early adopter, but there were lots of problems with the early models and their networking/USB when you pushed them hard). I could happily see myself using an RPi for everything I do, if the right software existed. I ran a Linux desktop for many years, I could happily do it again on the RPi. And £30 for a machine like that isn't to be sniffed at. The only real problem is lack of RAM but there are clones that have more RAM if you need it.

It's literally getting to the point now where for daily use people are using ARM (tablets, phones, even the iPhone itself, etc.) and only going to x86 for "real work" which is usually just basic browsing or remoting in anyway (and ARM Chromebooks are the next logical step for them). If Amazon are able to bring ARM into the datacentre, others will and it won't be long before you can buy ARM dedicated servers as easily as x86 ones. The only thing missing is the software offering.

Honestly... if the world went boom tomorrow, I think ARM would take over overnight. Cheap, "open", low-power, widely available, all the programming tools in place, powerful, etc.

Is there any reason that an ARM couldn't sit in a standard motherboard socket and access just the same resources as a "standard" machine (BIOS upgrade aside as presumably that's x86 code)? There's nothing to stop them getting to the same speeds, interfacing with the same hardware, working with standard kit.

Sell me an ARM-based desktop today with, say, PCIe and a serious nVidia graphics card in it, and I'll be digging out my wallet.

Domain name 'admin' role eyed up as latest victim of Whois system's GDPRmeggdon

Lee D Silver badge

What makes you think for a second that someone who stole your domain name would put their genuine home address onto the WHOIS when they did so?

If someone stole your bike, would you be expecting them to register it as their own on a public list of bike-owners? And if they did, would you assume those details to be correct? And if they did, would you pile into that person or would you be expected to - for example - go to the police/courts who'll determine who really has it, return it to you if possible, and you'll have precisely ZERO dealings with any ensuing law enforcement action beyond providing a witness statement (they won't tell you the criminal's home address!).

The equivalent here would be "file a complaint to ICANN". That does NOT need YOU to have public WHOIS information for every domain name in the world.

Your argument is one of the weakest arguments I've ever heard in my life.

Lee D Silver badge

It's not a question of what they hold. Of course them holding technical and administrative information for the intellectual properties they are renting out is reasonable.

What's NOT reasonable is displaying that information to all-and-sundry on any request whatsoever to the extent that you have a public API to do so.

Law enforcement need it. Sometimes the technical people need it. But why do you have to have it as a publicly available list of names, addresses and emails? I don't get that for, say, the people who sell on eBay.

Why not just remove the information from public view entirely and replace it with a contact form? Exactly the same effect - genuine grievances and trouble can be notified to the right people, but the average spammer can't just trawl the whole list and spam them, and no personal user is ever identified against their will.

It's not a question of what they HOLD (though that is affected by GDPR, it's hardly different to what they need to do), it's a question of what they DISTRIBUTE. Which should, quite literally, be... nothing.

Bedroom design outfit slapped with £160k fine for 1.6 million spam calls

Lee D Silver badge

Re: The traffic wardens literally just hand the ticket to the driver EVERY DAY,

"or just use common fucking sense. How else are you supposed to deliver beer barrels?"

With an appropriate licence to park in an appropriate and safe location. Generally speaking, double-yellows and double-red lines indicate a place where's NOT safe and appropriate to stop and deliver goods of any kind, let alone barrels weighing more than I do which need to be trollied down the street and thrown into a big hole in the ground.

Gosh, if only someone had considered that when they painted those lines and made lines that you COULD park on to deliver, but not just stop on, to ease the flow of traffic while allowing essential business services to proceed.

Moron.

Lee D Silver badge

Re: Just the cost of doing business

My dad works for a brewery. They're required to deliver beer all over London, usually by parking on double-yellows, red-routes, etc. in all the horrible-to-access backstreets and pedestrianised bits, etc.

The traffic wardens literally just hand the ticket to the driver EVERY DAY, they're so used to it. To the brewery, they just add £100 or whatever onto the cost of the THOUSANDS of pounds of beer that place buys each time. The bar owners don't even question it, it's literally "Yeah, sure, everyone does" and the cost of doing business in central London.

Totally destroys the entire point of there being any rule, enforcement or penalty whatsoever, and I bet the neighbours and traffic are seething at them because of it.

Lee D Silver badge

At least the fines are getting there... 10p to a £1 per call is actually in the "ouch" range now.

And now they can no longer escape by just declaring the company bankrupt, they really need to buck up their ideas.

Bigger question: If people have SPECIFICALLY said they don't want marketing calls, quite how many sales are they making from calling THOSE SAME PEOPLE? I know for myself that I opted out not because of any particular reason other than "I will never buy something from someone who just phones me up at random". As far as I'm concerned, I'm saving both of us time, effort and money by doing so.

To my eyes, the TPS is a list of "no-interest". I use it privately and as part of my job (no, a school does not need every man and his dog to phone up to check if they'd like to change telephony provider every two minutes). I think it should be unnecessary, especially not that explicit consent is required by law anyway, but I also think the exact people to blame are the exact people supposedly enforcing these laws.

Phone me unsolicited and - unless we have a business relationship, or I know you well personally - I will literally never buy anything from you. You could be my long-term supplier and put in a random sales call to me and if I haven't asked you to phone, I will just complain about it. If it's something you know I've been waiting for, something I was asking you about, something we've discussed previously, sure.

But, to be honest, even the "we spoke last year and I was just checking in" phone calls are annoying enough.

It's like there being a list of "people who don't want theatre tickets"... and then theatres spamming those people about theatre tickets. 1) Why would you have such a list, 2) Why would you think it's worth your time chasing those exact people? You keep a list of "people who might want theatre tickets", surely, if you have any interest in drumming up business? Not the opposite.

Great Scott! Is nothing sacred? US movie-goers vote Back To The Future as most-wanted reboot

Lee D Silver badge

Re: Hmm.

I think you're right.

I hate "sequels/remakes for the sake of it". That kills so many franchises for me.

Bladerunner, Total Recall, Ghostbusters, all kinds of things have been ruined by re-makes.

Very, very, very few movies series ever get the momentum going... I was honestly surprised that MiB3 was actually as good as it turned out (mainly cos I love the little time-guy character, and they cast the "young" K really well).

Even Aliens was killed by the "too many sequels" thing and they STILL keep banging on it and the Predator franchises.

Some things are just better left alone. Don't even get me started on "The" Italian Job...

Consultant misreads advice, ends up on a 200km journey to the Exchange expert

Lee D Silver badge

Re: Exam question.

I know a secondary school science teacher who has literally encountered dozens of pupils who have no idea how a match works or how to light them and are shocked that it's actually a real flame that burns their fingers.

In one way, I see that as progress (kids aren't exposed to people smoking), in another way, it is quite worrying that they don't understand how something quite basic works.

Lee D Silver badge

Apparently, the only person in the world who actually worries when something says things like "Just delete the organisation" or "Just upgrade the entire domain" or "Just format the entire drive" is me.

Nobody else seems to actually care a jot about the implications, nor why an ENTIRE organisation has to be deleted to fix some problem.

Do people seriously do these things without question? I mean, it would always have raised red flags to me - as a junior I wouldn't have wanted to be sitting there deleting things in Exchange, as a senior I wouldn't want to be deleting organisations because something on the Internet said so (MS KB or not!).

I have a setup at the moment where we have an Exchange server on the domain, except the ORIGINAL Exchange server went ape and some idiot replaced it without cleaning up. The old one is still there, the old DB is still there, there are references in DNS to the server that no longer exists etc. And things like some of the special mailbox accounts only appear on *some* of the DCs. If you read MS KB, they say "just delete it" and/or "just re-run setup". Though I'm quite sure that works in many instances, I'm not an idiot to trust it.

Three times now, I've taken the whole domain setup down, and done everything recommended to get rid of that old server reference (even spinning up a matching-hotfix-level server, migrating mailboxes, trying to clear the origianl etc.). Three times it just trashed the domain or the Exchange setup. The only difference is a) I didn't do it blindly while in production, b) I snapshotted every VM on the network before I did it, c) I did it on an isolated copy of the production network, d) I was therefore able to see the destruction, try to fix ti, but then roll back the entire state of the test network in seconds, no harm done, without ever touching production.

The *proper* solution is a complete Exchange wipe-and-reinstall, but given that Exchange has worked quite happily in that state for years before even I came along, I'm going leave that until we need to upgrade/migrate anyway. It's not like I'll actually lose any mailboxes. Because I'm not idiot enough to "just press the button".

I often get asked to go into a charity to help them with their IT. The first instance was for a children's hospice. Can I just get rid of some icons from their desktop setups and change a couple of settings? So I go and have a look. Their systems are managed somehow. They have connections to remote-sites, remote-backups, and other things. Though I'm assured they are their systems "and other branches just work as our backups", and they have administrative passwords, I look a little deeper and the first thing I check is "can I undo any changes I might make?". I see that those backups aren't doing anything (0-byte log files, etc.). As they want me to make changes to all kinds of user settings that aren't just tiny little things, I don't proceed and dig further.

Of course, I could have piled in, made the changes, tweaked the bits and ran. But the deeper I dug the more I found. And then when asked why they wanted to make these changes and what work was done on the office machines that I was looking at, the answer: "Oh, it just collates and records all the end-of-life medication that we give the children so we don't make a mistake and accidentally kill one of them". It's not long before I'm backing out of there with hands raised, telling them that they need to get a proper support contract and someone to look at their entire system.

(Happy to take that responsibility, but not without a formal contract and insurance on my behalf!).

Don't be the guy who "just thought he'd try it". Be the cautious guy. The one who warns. The one who warns even when being yelled at to "just do it". And then, even if you're made to do it and it all goes wrong, you can just say "Oh... look... I wonder why I was cautious and told you that was a bad idea..."

Lush scrubs its card-processing servers squeaky clean

Lee D Silver badge

932 outlets, turnover of £995m, profits before tax £73.5m

And they either a) employ an IT team who deploy systems where a stray single delete results in complete loss of central functionality (i.e. no backup, redundancy, failover, etc.), or b) can't get a credit card reader working by putting a 4G-backup router in each store (I'd say for 932 outlets, you could do it for about £200k max, with maybe £50-90k a year ongoing cost?)

Seriously... I mean... things happen but is there really an excuse for that?

Hell, I could argue a business case for the stores just "authorising" the card transaction anyway, but storing it for later batching when connectivity was restored. Nobody is going to notice that the transaction came out a few days later (shops do that to me all the time) and the cost of fraud over a normal day would be negligible compared to the loss of business without cards at all.

Especially if you wouldn't have to go announcing over Twitter that things aren't working, but stores just carry on working silently and unknowingly the same as they always had.

Shocker: UK smart meter rollout is crap, late and £500m over budget

Lee D Silver badge

Sack Siemens.

New flat, new supplier, they offer to change Pre Pay meter to "smart" meter.

I went with it as I wanted a day off anyway, and they offered me credit against my electric for doing so (plus, I could top-up from my phone rather than having to mess about with keys).

They asked all kinds of details about the meter (it's YOUR meter... you check it regularly because I get the emails every few months... why do you not know?!). Including whether I had storage heaters (Yes) or dual-rate meter (Yes).

Woman from Siemens turned up on my day off. Saw the storage heaters. Said "I've not got the right meter". Disappeared never to be seen again. A year on, no follow-up. But I still keep getting the same spam email about "Would I like a smart meter?"

Sure, compensate me for a lost day off, plus the other day to actually do the job this time, and I'll think about it.

Lee D Silver badge

Re: Home security problem

I ring your doorbell.

Bang, I instantly know if you're at home or not*.

(*unless it's the 31st October).

This is really a dubious concern anyway. My house pulls electric at all times of the day, throughout the day, whether I'm there or not. It'd be a CINCH however for a mobile telecommunications operator to tell you whether I was at my registered address or not.

And probably most people give their details away to an airport car park every time they go on holiday and park in the long-stay car parks.

It's really a null concern. If your house is insecure, secure it. If someone's gonna break in, it's not gonna be some highly-targeted affair. And if someone breaks in, your alarm is bog-useless too (have it notify you, or it's just pointless - only you know if it SHOULD be going off, and only you care about someone burgling you, and only YOU should need to deal with false alarms).

Black(out) Friday for HSBC: iOS and Android banking apps on the fritz

Lee D Silver badge

Re: Not working here

There's a reason I signed up for another bank account and don't really use it... for precisely such instances where I can't get to money that I may need to. Monzo seem to be very good considering the account is virtually dormant. But guess who gets all my business when HSBC really affect something I need to do?

On the secure-key thing... I once had an interesting conversation. I'd lost the physical key calculator thing. I phoned up HSBC to get a new one. Oh, they said, you can just use your smartphone now. Cool, so I don't need the key thing any more? No... just sign up and get the smartphone app and it will generate codes for you. Okay... how do I sign up for that. Well, you just install the app and then put in a code from your SecureKey into it. The secure key I don't have? Oh, they said, you can order a new one from the website. Okay. How do I do that? "Just log in to the website". Okay, how do I log in? "With your usual details". Okay, what about when it asks me for the code? "Oh, then you just type in the number given on your security key calculator thingy". The one I haven't got? "Oh, you can order one on the website"

It literally took three people to resolve the logical fallacy at play. The solution was to post me a SecureKey, and a signup-code. And then I would use that PRECISELY ONCE to install the smartphone app.

And then they had the cheek to ask how I wanted it sent. Well, we can email or post you the code but the device will take 2 days to arrive. Okay... but... the code is useless without the key, right? Yes, but we can email you. What would be the point of that? Well, then you'd get the code faster. Yes but... I won't be able to use it until the key arrives anyway...

I sensed another infinite loop so I applied "goto: Just_send_me_the_damn_thing".

Biting the hand that feeds IT © 1998–2019