* Posts by MJB7

134 posts • joined 27 Nov 2013

Oi, you. Equifax. Cough up half a million quid for fumbling 15 million Brits' personal info to hackers


Re: Max fine

"the regulator has no qualms about setting maximum fines for the really big offences" - I don't think that is what is going on here. I think what happened is that GDPR has upgraded the scale for fines like this. In other words the regulator thought about what fine they would levy if GDPR applied, and then capped it at what the DPA allowed.

I would be surprised if they would hand out a maximum fine under GDPR for this; but of course, even 0.4% of global turnover would get the attention of the boards of the other credit agencies.

'Men only' job ad posts land Facebook in boiling hot water with ACLU


Re: (m/f) in job ads

Certainly in Germany, this is because discrimination is outlawed, but the grammar is such that job titles are different for men and women. A male programmer is "ein Programmierer", a female programmer is "eine Programmiererin" (you can occasionally still see that in English: "an actor" vs "an actress"). This applies to *all* job titles. That means you can either advertise for "ein(e) Programmierer/Programmiererin" or "ein Programmierer (m/w)" - and most choose the latter.

I expect the same applies to most European languages.

Raspberry Pi supremo Eben Upton talks to The Reg about Pi PoE woes


Re: Hats off to 'em...

"TBH, we should have spotted this in testing"

Well yeah, that would have been nice. But the fact that you saying that in a public forum is not a career-limiting move is what we are applauding.

... although it would have been nice to see something about this in my RSS feed from the RPi blog (I'll go and sit in the nit-pickers corner shall I?)

Google goes bilingual, Facebook fleshes out translation and TensorFlow is dope



A friend's daughter can (could - this is probably 20 years ago now) speak Urdu because she spent so much time playing with her best friend that she picked it up from the best friend's mother (who didn't speak English).

I imagine there is quite of a bit of local authority material written in both English and Urdu.

Microsoft gives Windows 10 a name, throws folks a bone


Re: LibreOffice

I use both LibreOffice and MS Office. LO is OK, but in my view it's definitely not as user-friendly as MSO (and I'm a bit of a power user). Whether the difference is worth the cost? For a business - probably.

Connected car data handover headache: There's no quick fix... and it's NOT just Land Rovers


Re: Why?

Connecting the infotainment system to the ECU means that the radio can automatically turn up the volume as the speed increases (to compensate for increased engine and road noise). It is also dead useful for the navigation system to have access to the road speed from the ECU - it allows it to dead reckon inside tunnels (where the GPS signal tends to be somewhat limited).

Of course, in a properly secure system, the infotainment system would be connected to a secure module that can *read* the CAN bus, but refuses to write to it. The problem there is that another module costs dollars, and car manufacturers care about saving cents.

You may feel that remote central locking gets the balance between usability and security wrong; I don't. I value being able to remotely unlock the car - it's not a *huge* benefit, but the risk seems to be pretty low too



This doesn't mean "we will object if you sell them separately", it means "you will be breaking the law if they are sold separately, because they aren't individually labelled with the ingredients etc"

Cache of the Titans: Let's take a closer look at Google's own two-factor security keys


Re: Single device secret

Key derivation from a master secret to generate multiple keys is a well understood cryptographic problem. It can be done either with an encryption algorithm (like AES) or a keyed hashing algorithm (like HMAC-SHA1). Either way, there is no way for an attacker to derive the master secret or another credential given one compromised credential unless they have a major break in the underlying algorithm (and the SHA1 collision recently found is *not* enough to help).

The advantage of doing this, is that you don't need more entropy for each new credential - and obtaining entropy for a small low-powered device like this is *hard*.

Early experiment in mass email ends with mad dash across office to unplug mail gateway


Re: Let me try

The city of Leicester is pronounced exactly the same as Lester Haines' first name. The city of Worcester is pronounced pretty much the same as Bertie Wooster's last name (except this is slightly more confusing: the stress is on the last syllable, and the "oo" is a bit more of an indeterminate vowel).

Spectre rises from the dead to bite Intel in the return stack buffer



Bruce Schneier commented at the time that Spectre was first found that there are going to be a whole class of issues like this, and academics are going to be busy finding them for years.


Re: Asking (possibly) dumb question

There's no such thing as a stupid question (but failing to ask can be very stupid).

In general, you can't gain access to these buffers directly - but you can do things (like call a function), which will modify the buffers in a predictable way. Furthermore, by carefully timing things(*) you can estimate the contents of the buffer (if it has one value an operation, like return, will be fast; if it has another, it will be slow).

*: You might think that just adding a bit of timing jitter would be enough to fool this. Sadly, it turns out to be easy enough to repeat the exercise and average out the jitter. It turns out that you can do accurate-enough timing from within javascript - you don't need access to the hardware cycle counter

If at first you, er, make things worse, you're probably Microsoft: Bug patch needed patching


Re: VBScript itself is a problem

Err, 'C' is about twice that (started in 1972, K&R published in 1978), and it's *everywhere*. Fortran is just less than three times as old - first published in 1957 (although less popular than it once was).

Age is not a good reason to get rid a language, in fact it's a reason to keep it - we've probably got rid of most of the nasties from the compiler/interpreter, and we know where the dragons live when writing it.

Mmm, yes. 11-nines data durability? Mmmm, that sounds good. Except it's virtually meaningless


Re: Sigma(σ)?

The standard deviation is a useful and well-defined concept for a normal distribution. However we are not dealing with normal distributions here - more like poisson (with a *very* low probability). The result is that standard deviations are not particularly meaningful (although, to be fair, 11-nines isn't either).

Samsung’s new phone-as-desktop is slick, fast and ready for splash-down ... somewhere


Re: Must be tek4010

More likely to be a Tek 4014. The 4010 had an 11" screen, but the 4014 was a 19" screen - it was a beast.

Intel confirms it’ll release GPUs in 2020


Single die vs plugin card

Sure *gamers* will upgrade their GPU - but the really *big* market for GPUs is not processing graphics!

We have pretty much run out of steam improving single-threaded performance. Multiple cores is the only way to improve performance. Once you start doing that at scale, you can drastically reduce the cost of each core by not trying to squeeze every last drop of performance out of it (you also design out Spectre et al). Once standard desktop software needs a GPU to perform well, everybody is going to want one - and they won't want it on a separate card.

The commentard who compared GPUs to floating point hardware had it exactly right.

Tesla undecimates its workforce but Elon insists everything's absolutely fine


Re: Maybe 1 in 1000

40% of all cars registered in Norway in 2017 were electric or hybrid.

In Europe as a whole, plug-in electric cars were 1.4% of new registrations, which means we are probably not far off your "1 in 1000" of cars on the road already. (It will vary how you count it - electric vehicles probably do shorter journeys, so a lot fewer than 1‰ miles will be by electric vehicles).

Norway plans to ban new petrol/diesel cars by 2025 (which is 8 years away, not 30).

Even France and the UK plan to ban new cars by 2040 (which is rather less than your "30 years", but is distant enough that it could easily slip).

I think one in three by 2028 is quite plausible.

Hello, this is the FTC. You have been selected for a free lawsuit... Robocall pair sued


Answer phones

"Most answering machines won't let you delete a message without listening to it." I don't think I've ever tried deleting a message without listening to some of it - but I've never had an answerphone which didn't let you delete a partly listened-to message.

UK judge appears in dock over Computer Misuse Act allegations

This post has been deleted by a moderator

BOFH: Their bright orange plumage warns other species, 'Back off! I'm dangerous!'



The real problem with the current H&S legislation in the UK is that it requires people to actually *think* - and we all know how popular *that* is.

Welcome to Ubuntu 18.04: Make yourself at GNOME. Cup of data-slurping dispute, anyone?


Re: "IP address is PII"

No it isn't - but PII is an American term. The GDPR term is "PD" - "Personal Data", and an IP address absolutely *is* PD. GDPR is much wider than American rules (there's a surprise).

EmDrive? More like BS drive: Physics-defying space engine flunks out


Re: conservation of momentum

Yes, conservation of momentum applies at the quantum level. The only caveat is that you can't measure the input or output momentum of the system with absolute precision. (But nobody has come up with a quantum experiment where momentum is clearly not conserved.)

German IKEA trip fracas assembles over trolley right of way


Re: "Open another queue"

Good lord! We don't get that sort of behaviour in Baden; they're a friendly lot here. Bavaria on the other hand ...

Family Planning office warns customers private parts may be exposed


Re: ANZAC day

However I think Remembrance Day is a comparatively minor event, while ANZAC day is the big day for remembering the dead from wars. As such, I think the description as "the equivalent of Remembrance Day" is fair.

Equifax reveals full horror of that monstrous cyber-heist of its servers



It shouldn't; what should worry you is all those idiot organizations that think your SSN is a secret. It's perfectly fine as a unique identifier (at least, if you only want to deal with legal US residents), but it's an absolutely appalling secret.

Royal Bank of Scotland decision to axe 160+ branches linked to botched IT gig – Unite


Re: "not that I'm a member of NatWest or RBS now"

You never were a member of NatWest or RBS. Neither of those were ever mutuals (although they have probably absorbed ex-mutuals - I can't be bothered to check). You were a customer. You'd have to use one of the remaining building societies to be a member (Nationwide is pretty good, despite being larger than all the other building societies put together).

AMD CEO Su: We like GPU crypto-miners but gamers are first priority


Re: "demand far outstrips supply"

Yes, everything in the garden is rosy **at the moment** (for vendors). However, there will come a time when the cost of the electricity to mine coins is worth less than the mined coins. At this point, rational miners will stop using their GPU rigs and sell them.

The real problem for the likes of AMD is that this point probably won't be reached gradually depending on exactly how much each miner is paying for electricity; it is much more likely to occur because of a crash in the alt-coin market. Then all of the miners will go bust, and all the administrators will be trying to sell their GPUs as quickly as possible (before the other administrators do the same and depress the price further), and the price of GPUs will drop through the floor. I can't wait.

What makes it worse is that it doesn't *much* matter if AMD have concentrated on selling to gamers; if the market is flooded with cheap secondhand nVidia boards, AMD sales will still crash (there are some AMD loyalist who would never touch nVidia - but not enough).

Reg writer Richard went to the cupboard, seeking a Windows Phone...


Re: Apps

When you say "most of what's in the Play store is pretty pathetic", that may well be true - but it isn't really relevant. I want my bank's app, my car's app and my heating system's app; if those are crap, it isn't really Google's fault.

I got 99 secure devices but a Nintendo Switch ain't one: If you're using Nvidia's Tegra boot ROM I feel bad for you, son


Re: "principles, not freeloading"

Can you please not talk about "real property rights". Pretty please?

The problem is that "real property" is a legal term (it means land and buildings, as opposed to personalty or "personal property" - like clothes or consoles). "actual property rights" or "genuine property rights" would be fine.

(As an aside, I think you overstate your case. If the transaction was changed to "leasing", I predict that the price the market would bear would be almost completely unchanged.)

There's security – then there's barbed wire-laced pains in the arse


Ahem. Mandatory password changes are bad for security. Force a renewal when you suspect they are compromised, but otherwise encourage users to use a password manager, and a *good* master password.

'Every little helps'... unless you want email: Tesco to kill free service


Re: Buy your own domain


I really wish I had followed by cousin's advice and bought a domain about eight years ago. (And I'm the techie one, and he is the marketing/management type.) Now I'm stuck with too many people knowing my gmail account.

Blackout at Samsung NAND factory destroys chunk of global supply


Re: The maths don't add up...

Yes they do. If all the product currently in the factory is ruined, *and it takes three and a bit days* for all the processes to run, then the maths adds up just fine.

Diffusing various doping agents into silicon is not a particularly fast process.

Developer mistakenly deleted data - so thoroughly nobody could pin it on him!



"if you were placed in the same situation, and had the presence of mind that always comes with hindsight, could you have got out of it in a simpler or easier way?"


But of course, that wouldn't have worked when people were running Unix on VAX.

Sacked saleswoman told to pay Intel £45k after losing discrim case


Representing yourself

There is an old legal saying "A lawyer who is representing himself, has a fool for a client".

Having said that, there's no reason not to represent yourself for claims on the Small Claims Track. (But this is clearly not such a case.)

EE: Data goes TITSUP* for Brit mobile customers


Actually, no they are probably miserable as sin about having to send you those texts (they would rather you just roamed away, and only found out about the prices when you got home) - but they don't have a choice. I think it's an EU regulation (too consumer friendly to be Ofcom's idea).

Full disclosh: Facebook to pay shareholders $35m over IPO non-disclosure claims


Zero sum game

It *is* a zero sum game, but people who bought at IPO aren't the only players. The people who lose out from the payment are those who were shareholders *before* the IPO (including Mr Zuckerberg).

Somehow, I don't think this is going to leave him penniless.

PCI Council and X9 Committee to combine PIN security standards


To be fair

This is an agreement between the people setting the standards. Both sides regularly update their standard. If they update it to be identical, then there will only be one standard. (Just like the BSI and DIN, and ANSI all have standards for the C programming language - they are just the *same* standard.)

Uber quits GitHub for in-house code after 2016 data breach


Re: What kind of complete moron

1) Standard issue human. Once it is pointed out that the code is on GitHub, one goes "D'oh!", but everyone has done equally stupid things.

2) It was a private repo (otherwise, what would the point of multi-factor authentication be?)

3) Not a clue.

On yer bike! Boffins teach AI drone to fly itself using cams on bicycles, self-driving car

Black Helicopters

Re: "In the UK"

It does say in the regulations you quote that you can ask the CAA for permission. I don't suppose the CAA would be much harder to convince that the local ethics committee. (I presume they had someone with their hands hovering over a kill switch so it would just drop on the ground. That's not too brilliant as a general strategy for drones, but at their height, it would have worked fine.)

(Icon because ....)

Just can't catch a break, can ya, Capita? Shares tumble 40% amid yet another profit warning

Thumb Down

Same old same old

"I have initiated a transformation programme, appointed a Chief Transformation Officer and formed a new executive committee to drive this change."

Oooh! That'll change everything won't it. I suppose it is possible that he is actually going to introduce some significant changes - but that's not the way the smart money is betting.

UK taxman has domain typo-squatter stripped of HMRC web addresses


MoD is part of government

NHS and Police are not part of government ... but the Ministry of Defence is. It really ought to be mod.gov.uk.

Brit bank Barclays' Kaspersky Lab diss: It's cyber balkanisation, hiss infosec bods


ARPANet survivability wasn't the initial goal.

"Pretty sure that the US DoD funded ARPAnet to create a network that would be able to withstand a Soviet attack, by routing around destroyed nodes."

Not really. According to Charles Herzfeld, ARPA Director (1965–1967): "The ARPANET was not started to create a Command and Control System that would survive a nuclear attack, as many now claim. To build such a system was, clearly, a major military need, but it was not ARPA's mission to do this; in fact, we would have been severely criticized had we tried. Rather, the ARPANET came out of our frustration that there were only a limited number of large, powerful research computers in the country, and that many research investigators, who should have access to them, were geographically separated from them."

Of course, nuclear survivability probably didn't hurt when people were discussing funding, but that wasn't the main goal. The underlying systems were unreliable enough that they needed the robustness anyway.

Uber: Hackers stole 57m passengers, drivers' info. We also bribed the thieves $100k to STFU


Re: SS ranks

Aaargh! What's with all the random spaces and capital letters in the middle of perfectly good German words: "Oberstgruppenführer" and "Ubersturmbannführer" (or if you can't do umlauts, at least "Oberstgruppenfuehrer" and "Ubersturmbannfuehrer")

It's 2017, and command injection is still the top threat to web apps


Re: moving functionality from the server side to the client “brings its own security challenges”.

Yes it does. It means you can't just move "that" chunk of functionality from server to client - you have to split the security functionality out, and leave it in the server, and then move the rest of the functionality to the client.

You also have to find a way of testing the security functionality (because the client, by default, probably won't let you).

Brocade undone: Broadcom's acquisition completes


Check your irony meter

I think the overload protection has blown.

(You do have overload protection on the iron meter you use on El Reg, don't you?)

The four problems with the US government's latest rulebook on security bug disclosures


"thus when the NSA toolkit was leaked online and into the hands of WannaCry's developers, there was no patch available to protect users"

Actually there was .... or at least there was by the time WannaCry was deployed. Microsoft had been quite quick about developing a fix for the vulnerability; the problem was that a lot of people had not been nearly so quick in deploying said patch.

(There was also an issue of people containing to use an unsupported operating system without either isolating from external contact or paying for the support. But that was much less significant.)

Quantum computers could crack Bitcoin, but fixes are available now


migrating to quantum-resistant techniques is really not a difficult task

The problem is not the migration, it's where we are going to migrate to. There are a number of proposed quantum-resistant techniques, but none of them have got much in the way of serious cryptographic review (cf the AES or SHA3 competitions). Until that has happened, post-quantum crypto is just a buzz-phrase.

Hitting 3 nanometers to cost chipmaker TSMC at least US$20 billion


<q>even a combined arms parachute- and amphibious-assault across the straits would be a slaughterhouse:</q>

There is an old and somewhat racist joke about a Chinese general hearing the news about a battle against <enemy>: "Terrible news, we lost 10,000 troops, and they only lost 1000". The general replies "Good, good". This goes on for several days, and eventually he asks why he keeps saying "Good, good". His reply is "pretty soon, no more <enemy>".

The PLA could almost certainly take Taiwan, even if it was at a terrible cost.

Microsoft's foray into phones was a bumbling, half-hearted fiasco, and Nadella always knew it


Re: Have I lost my bet ?

Over Christmas, check if Carphone Warehouse, Amazon.co.uk, or Talk-talk have any winphones available. If any of them do, FSF gets 100€, otherwise just the 50€.

HP Inc exec: Yes, we'll put a bullet in the X3 device


Re: UK Sales of Goods Act

Whether you can give up the protections afforded by law depends precisely on how the law is worded. Some protections are written as terms which are necessarily part of the contract (and those you cannot give up); others are worded as default terms which are assumed to be part of the contract unless the contract says otherwise. Obviously you cangive those up.

Google's Hollywood 'interventions' made on-screen coders cooler


Re: Exception that proves the rule

Also both Inspector Barnabys.

(And while Inspector Montalbano may have commitment issues, it doesn't seem to bother *him*.)

Biting the hand that feeds IT © 1998–2019