* Posts by MJB7

570 publicly visible posts • joined 27 Nov 2013

Page:

BOFH: The Christmas party was so good, an independent inquiry is required

MJB7

Re: Plagiarism?

Point of order: Cummings is not "an honourable gentleman". Not even in the language of the Palace of Westminster. That is reserved for Members of Parliament, and Cummings has never done anything so beneath him as to ask the common populace to vote for him.

Google Groups ditches links to Usenet, the OG social network

MJB7

Google has decided [the modern internet] doesn't need Usenet anymore.

No. Google has decided Google doesn't need Usenet anymore.

However, I used to follow a dozen groups or so, and I haven't looked at any of them in certainly the last five years. I doubt I am alone.

Canon claims its nanoimprint litho machines capable of 5nm chip production

MJB7

Re: “ a mask imprinted with a circuit design”

The boring answer is almost certainly electron beams. Cutting very fine details with an electron beam has been possible for ages (I think that's how existing masks are made). The problem for chip lithography is that electron beam is _slow_ (you only cut one bit at a time). An optical mask can cover the whole chip in one go.

PhD student guilty of 3D-printing 'kamikaze' drone for Islamic State terrorists

MJB7

Re: explicitely creating schematics for an explosive warhead

Somebody created schematics for an atom bomb for their PhD to prove that it could be done from publicly available information.

Intel spices up its FPGA game with open source and RISC-V freebies

MJB7

Re: Giving Away Free Stuff?

My employer has recently moved from separate crypto accelerator to FPGA - and expect to go further.

Toyota servers ran out of storage, crashed production at 14 plants in Japan

MJB7

Re: Lost in Translation?

> Also, I would posit it would be organiSed, but it appears Toyota speaks American rather than English :)

Or maybe they speak proper English, as recommended by the Oxford English Dictionary? en.en-gb-oxendict ftw!

Microsoft: China stole secret key that unlocked US govt email from crash debug dump

MJB7

Re: Alternative explanation..

> I'd think even a half-competent government can probably build their own data centers and go fully open source for about the same price.

Do you mean "a government which is half-way along the list of governments sorted by competency"? Looking at the number of government-based IT disasters, I really doubt it.

Or do you mean "a government which is half-way to being fully competent" ? I'm not sure there are any of those.

BOFH: What a beautiful tinfoil hat, Boss!

MJB7
Boffin

Re: ECO DECT

> Plants expirate oxygen, not CO2.

Plants expire CO2 at night.

Space junk targeted for cleanup mission was hit by different space junk, making more space junk

MJB7

Re: Newton on line #2

> Can someone explain to me how a hyper-velocity impact with a satellite fails, enough to break chunks off, does not result is a significant effect on the orbit?

Not sure what the actual numbers are here, but:

1 tonne (1 Mg) stage in orbit.

10g "thing" smacks into the stage at 10,000 m/s relative to the orbiting stage. That's quite a bang, and could easily crack something off, but it changes the momentum by 100,000 gm/s - which is a change in velocity of 10cm/second. Typical LEO orbital velocities are about 8,000 m/s (which is why I chose 10,000).

Net result: The orbit changed (of course), but not significantly. A 10kg bullet would make more of a difference - but it would still be pretty small.

Tesla knew Autopilot weakness killed a driver – and didn't fix it, engineers claim

MJB7

Re: Big plastic wind deflectors

They may cost more than side-bars under the trailers - but wind deflectors save money in the medium term (by reducing fuel consumption - which is something truck owners care _deeply_ about).

Discord.io pulls the cord after crooks steal 760K users' info

MJB7
Boffin

Re: Good and bad here

> Passwords salted and hashed, miscreants aren't going to be able to do much with that

Depends _how_ it is hashed. If it PBKDF2 with 1000 iterations of SHA1, it'll take longer to download the data than to find if the password is one of the top 1000 passwords.

If they are following OWASP recommendations and using Argon2id with a minimum configuration of 19 MiB of memory, an iteration count of 2, and 1 degree of parallelism then I agree. However "following OWASP" probably isn't the way to bet in this case.

... but I do agree that they deserve plaudits for being upfront about the situation.

Virgin Media email customers enter third day of inbox infuriation

MJB7

Re: People needing access to tickets...

I couldn't be bothered to set up Thunderbird account when I switched to a new laptop ~10 years ago. The Gmail web interface is "good enough". Yes, yes, I understand the benefits, but life is too short.

Amazon Prime too easy to join, too hard to quit, says FTC lawsuit

MJB7

Different UI in America?

I wonder if I see a different UI (connecting to amazon.de). The last couple of times I have signed up for a free 3-months Prime trial, I have found it really quite straightforward to cancel my Prime membership.

I also like the fact that I can sign up, place the order, and then cancel it - but it still lasts until my three months is up.

Lenovo's Yoga 9 is flexible at home, but stretches the friendship at work

MJB7

receiving MFA texts on their own phones

Err.

1. SMS is the _least_ secure MFA option (by a substantial margin). Use a TOTP generator instead.

2. There are certainly a substantial number of people in my office who won't install a a custom app to act as a MFA token on their own phones. I don't _know_ whether they would accept texts - but I wouldn't want to bet on it!

DC thermal management, power kit is getting easier to find and a lot more expensive

MJB7

Is it just me?

I read "DC .... power kit" and thought this was talking about "Direct Current" rather than "Data Centre".

False negative stretched routine software installation into four days of frustration

MJB7

Re: Marital Status: British

Minor nit: I _think_ even Alabama now insists on children being at least 14 before marrying.

A 13yo legally married to an adult in one of the United States is probably legally married in the UK. They just can't have sex in the UK (and the adult is at risk of being prosecuted for having sex in America).

MJB7

Re: On the other hand...

The worst bug I ever came across was a memory corruption bug that only occurred if the username had an odd number of characters. The programmer who kept encountering the bug did. The programmer who was trying to debug it had an even number of characters in their user name. That was _days_ of fun!

(This was before valgrind.)

Supernova peekaboo could provide clues to our universe's age

MJB7

Re: Physics check please

Photon's have no rest-mass. However they have energy, and hence have a (non-rest) mass. A dense cloud of photons can gravitationally distort space.

Cheapest, oldest, slowest part fixed very modern Mac

MJB7

Re:Lights on the same circuit as power

Standard practise in Germany. Don't forget, everything is on a series of 16A radials, rather than ring circuits (and neither appliances, nor lights, have fuses).

The safety and cost trade-offs between the UK and European systems are complex - but neither is per-se dangerous.

Upstart encryption app walks back privacy claims, pulls from stores after probe

MJB7

Re: RSA

It is perfectly possible to write secure systems with RSA. What's wrong with it, is that it is slower to sign/encrypt than a corresponding EC algorithm, and it is _much_ slower to generate a new key. That last point matters if each participant generates a new keypair for each message (as they should), and only uses the persistent key pair for authenticity.

There _is_ a theoretical point that because quantum computers break asymmetric cryptography in a completely different way to classical computers, a quantum computer that can break RSA-3076 will need about 12 times as many qbits as one that can break NIST-P256. If quantum computers develop at something like Moore's Law (a _big_ if), that gives RSA-3076 about a decade advantage over P256.

MJB7

Re: Signal AND WhatsApp?

Sure, Signal has _much_ better security than WhatsApp - but while Signal is top of the Premier League and WhatsApp is low in Division 1, Converso is a bunch of mates who get together for a kick-about and a beer.

Astronomers say they've seen the largest explosion yet – and we just had to talk to them

MJB7

Re: Would it even be possible for black holes to suck each other up?

Absolutely. And we have seen it happen multiple times: https://en.wikipedia.org/wiki/List_of_gravitational_wave_observations.

The usual term is "merger" rather than "suck each other up".

BOFH: Ah. Company-branded merch. So much better than a bonus

MJB7

Re: Acronym-Ignorant

The Cambridge Maths Tripos Part III is a fourth year of university which prepares students for a career in mathematical research. The questions on the exam paper are often of the form "Prove or counter-example the following proposition". Legend has it that the exam setters don't always know the answer.

Is there anything tape can’t fix? This techie used it to defeat the Sun

MJB7

Re: Not only mice

You are referring to Zaha Hadid. Coincidentally I was in her fire-station this morning. It was a fire station for a big factory - run by Vitra, which makes designer furniture and is famous for having a factory site with examples of amazing architecture. The fire station is a fabulous bit of a sculpture, but is indeed useless as a fire station.

The Hubble Space Telescope is sinking! Two startups want to save it for free

MJB7

Who's going to pay for this?

"NASA is not going to spend any money on this" - I know space launches are getting cheaper, but they are still not cheap.

I don't think anyone is going to pay for a launch "for the exposure".

You can cross 'Quantum computers to smash crypto' off your list of existential fears for 30 years

MJB7

Wow!

Adir Shamir, Clifford Cockes, _and_ Whitfield Diffie on one stage!

If you don't get open source's trademark culture, expect bad language

MJB7

Just because "rust" is a generic term in one context doesn't mean it can't be a trademark in another. A domain for the movie will contain the word rust, but it won't be the Rust language trademark.

Automation is great. Until it breaks and nobody gets paid

MJB7
Headmaster

Re: "execute his target script 16384 times"

Not exponential: quadratic.

Quadratic is nasty - it won't bite in testing (like exponential usually will), but it bites with a vengeance in production!

Yes, I am a pedant. Why do you ask?

MJB7
Windows

Re: 15 bit computers?

Good grief! Doesn't _everyone_ know that signed 16-bit integers overflow when you increment past 32767? Really?

Icon, my age.

MJB7

Re: I have consulted in many places over the years

Good grief, we have 100's of shell scripts in our git repos - and you can can't any of them without a code review. (I am trying to convert many of them to python scripts - but that's a _long_ term project).

Uptime guarantees don't apply when you turn a machine off, then on again, to 'fix' it

MJB7

Re: wait till a support person arrived

I don't think that is what the problem was.

They should have dispatched the engineer _straight away_, in case the on-site engineer was needed. Then they should have diagnosed and fixed the problem remotely (and then told the engineer to come back).

The alternative is wait an extra half an hour while they diagnose the problem and realize they need an on-site engineer. That's half an hour wasted.

MJB7

Re: meet "Rod"

I'm never really very convinced about effective the Regonomiser is, and how true the "not his real name" bit is.

Germany sours on Microsoft again, launches antitrust review

MJB7

Um, putting Bavarian chauvinism to one side for a moment, you do know that Munich is actually in Germany don't you?

AWS security exec: You don't want to win this database popularity contest

MJB7

Re: The Easy Path was Taken: Why?

Security is difficult, but the one thing you _don't_ need in your list is "an understanding of the maths of cryptograph" (let alone a deep understanding). What you _do_ need, is to understand what promises a cryptographic primitive makes and what promises it _doesn't_ make.

As an example, I know almost nothing about AES or 3DES beyond "stick a secret and a key in here, magic happens, and ciphertext appears out here". However I _do_ know that these only promise that an attacker cannot determine the secret given the ciphertext. What they don't promise is that the attacker can't modify the ciphertext in a way which modifies the secret. For that, you need an AEAD scheme like AES-GCM or AES-CBC + HMAC.

Boffins claim discovery of the first piezoelectric liquid

MJB7

Re: Interesting question

The materials under discussion are described as "ionic liquid salts". If it's a liquid which is full of ions, it is hard to see how it could _not_ be a conductor

(But as they've already done one impossible thing before breakfast, there's no obvious reason they shouldn't do another.)

Google's claims of super-human AI chip layout back under the microscope

MJB7

Re: Not exactly "natural", is it?

The magazine was up and running long before the meaning of “Nature” ...

Exactly. I studied "Natural Sciences" at University, which in my case meant Physics, Chemistry, and Metallurgy.

Are you ready to go all-in, head-first, on a laptop? ASUS's Zenbook Pro 16X asks for that commitment

MJB7

Re: IEC lead

The trouble with having the plug cast into the body, is when you go abroad regularly. With an IEC lead I can take my charger and the right IEC lead and I'm good. With a moulded-in plug, I need an adaptor (which in Switzerland for example will obstruct both the other sockets in the outlet).

White Castle collecting burger slingers' fingerprints looks like a $17B mistake

MJB7

Re: ..a gut-wrenching decision for White Castle's legal team..

This isn't the first court; this is the Illinois Supreme Court. There is no appeal unless they want to try and claim the Illinois state law violates the US constitution (_and_ they can persuade SCOTUS to take the case).

Uncle Sam wants to strip the IoS out of IoT with light crypto

MJB7
Boffin

Remember folks, the S in IoT stands for "Security"

(shamelessly stolen from cryptography.stackexchange.com)

MJB7

Re: "...lightweight cryptography..." ... Or More Misdirection?

RSA 1024 is only acceptable for historic protocols. It should not be used today. RSA 2048 is perfectly acceptable today, but for longer term security, you need RSA 4096 or higher.

Key generation _is_ slow for RSA. The hardware security module my employer makes can take 15 minutes to generate an RSA16384, and it's got a relatively beefy processor. An IoT device is going to take a while to generate RSA2048 (not to mention the problem of "where does it get the entropy from") - but it doesn't have to do that for every message.

Go to security school, GoTo – theft of encryption keys shows you need it

MJB7

Re: Persistent keys are the problem.....

Firstly, you keep claiming that Alice and Bob can communicate securely "with no transmitted keys and no public keys at all." but you refer to Diffie Hellman.

In the Diffie-Hellman protocol:

- Alice generates a secret key a, and a public key A = e**a

- Bob generate corresponding b and B.

- Alice TRANSMITS her PUBLIC KEY (A) to Bob

- Bob TRANSMITS his PUBLIC KEY (B) to Alice

- Alice computers B**a == (e**b)**a == e**ab;

- Bob computes A**b and they have a shared secret e**ab which they can use to encrypt data.

(Beware: the above is a gross simplification. Do not use this to implement DH.)

Secondly, you have also missed the point that this is _storage_ encryption. Communication (data in transit) can use ephemeral keys, but data-at-rest must be encrypted by keys that persist until the data is no longer required.

And I haven't even _started_ on the issue that DH is completely unauthenticated, so Alice has no way of knowing she is communicating with Bob and not Eve.

Bringing cakes into the office is killing your colleagues, says UK food watchdog boss

MJB7

Re: Free healthcare

Changing dentist almost inevitably means changing _to_ paying privately. There are very, very, few dentists taking on NHS patients these days (with the possible exception of children - but even that is dying out).

For password protection, dump LastPass for open source Bitwarden

MJB7

Re: Don't rely on a single password

"you're a terrible password generator" - this is true. So don't generate the password yourself. Both Bitwarden and diceware will let you generate a cryptographically secure passphrase which works just fine.

Reading between the lines though, it is disappointing to see that Bitwarden don't use a secret from the second factor to decrypt the vault.

Swiss Army's Threema messaging app was full of holes – at least seven

MJB7

Re: Where Have I Heard These Claims Before?

> the keys used for E2EE are persistent somewhere [on the service provider's network]

Only if the software is badly designed (as Threema seems to have been). When I was working for a company providing E2EE mobile comms (based in Zürich as it happens), the private keys never left the phone. That's easy to arrange.

Remember the Ozone hole? The satellite that spotted it just caused a space junk scare

MJB7
Boffin

Re: Credit where it is due

The story is better than that.

The satellite was in orbit before BAS started taking measurements. However the graphs displayed to end users used preprocessed data, and one of the preprocessing steps was to replace obviously absurd values (because they were too small) with a sensible minimum value.

Oops.

Jonathan Shanklin on the other hand knew almost nothing about the ozone layer, so just blindly plotted the observed values.

Footnote: There are many things he knows almost nothing about, but I don't think "the ozone layer" is still one of them.

Chinese researchers' claimed quantum encryption crack looks unlikely

MJB7

Re: Colour me shocked

Scott Aaronson is not a mouthpiece of the American government, and he's not the only one pouring cold water on this claim. Lots of people are working on post-quantum crypto, but nobody is particularly rushing to roll it out. Apart from anything else, you don't want to discover you've implemented SIDH and then somebody comes along and breaks it over a weekend.

TSMC ramps up 3nm chip baking at Taiwan plants

MJB7

Is it just me?

3nm is FIFTEEN silicon atoms. I realize that these lengths are no longer the actual size of the transistor, but even if its the radius of the curves, we are getting to the point where we can no longer consider silicon as a continuum.

Also, a cube 3nm across has a volume of 27e-27 m3. Wikipedia says dopant concentration runs up to 10**18 per cc which is 10**24 m3 ... which implies such a cube has zero dopant in it!

Since humans can't manage fusion, the US puts millions into AI-powered creation

MJB7

Re: Nothing new.

"It's just that history starts from its IPO"

Um, if I type (for example) "Henry VIII", "Hammurabi", or "Paleozoic" into Google I find lots and lots of links - and those all predate Google's IPO by a considerable margin.

NIST says you better dump weak SHA-1 ... by 2030

MJB7

SHA-1 is not completely broken

There are various ways to break a cryptographic hash function. The first is to generate two different messages with the same hash value (a collision attack). This is the easiest break for the attacker, and SHA-1 has been broken like this for some time, and has not been allowed by NIST for uses where this matters for some time either.

The next break is: given a specific message (defender controlled), find another (different) message with the same hash value (a pre-image attack). Not only has SHA-1 not been publicly broken like this, neither has MD5. If you have an expert cryptographer on hand†, they can advise you whether your application is vulnerable to a collision attack, or whether it needs a pre-image attack to break it. If it needs a pre-image attack, there is no need to panic (but move away from SHA-1 at your earliest convenience).

† Don't look at me, I just use a few handy rules of thumb when doing crypto - one of which is "don't use SHA-1".

Server broke because it was invisibly designed to break

MJB7

Re: A service provider that doesn't bill because their attempted fixes failed?

I can see why IT support might seem like a sensible thing to outsource. Instead of having one person who needs to be able to handle DB admin, network configuration, hardware wrangling, etc (and who can't go on holiday), you can have a share of a full-time DBA, and a networking guru, and a hardware experts - and with cover so you don't have to worry about holidays or sickness.

In practise of course, it never seems to work. I remember when I foolishly deleted a file and asked IT (a three man in-house team) to restore a copy from backup if possible (if not, I could regenerate from scratch). Three days later I got an apology for having taken so long - they had been struggling with sickness in the team. AT THE SAME TIME, my customer had corruption in their SourceSafe database. The only fix was a restore from backup. Until this was sorted, a ten person team were effectively unable to work. It took their (out-sourced) IT over a week to restore it.

Page: