* Posts by brotherelf

135 posts • joined 16 Jun 2014


It's now 2019, and your Windows DHCP server can be pwned by a packet, IE and Edge by a webpage, and so on


Double-checked and ...

... nope, there is no update for Adobe/Reader for Linux. I would have been very surprised, too, since they stopped Linux support around Reader 7 or so.

Icon 'cause the binaries are old and crusty, too.

Who are the last people you'd expect to spill thousands of student records? A computer science dept? What a fantastic guess


Why …

would anybody assume administrative staff in IT/Eng departments is different at all from admin staff in other departments? (Ok, they're battle-hardened by having people nearby who think they're their boss and think they're competent in IT matters because they have a comp.sci. degree.)

Hi, Jack'd: A little PSA for anyone using this dating-hook-up app... Anyone can slurp your private, public snaps


Yeah, about par for the course…

My money's on "Nobody will be able to guess this random six-letter filename, so we don't need access control or authorization".

Germany has a problem with the entire point of Amazon's daft Dash buttons – and bans them


Re: A simple idea

They do this f*cking sh*t already. For several months, my Amazon page has been cluttered with automatically-filled "virtual dash buttons" based on my orders (like the jar of mincemeat I ordered two years ago, or the pill cutter knife I bought for my parents), and only a very well-hidden way of changing these assignments.

It's still there, under "your dash buttons", but for a while, it was either on "your amazon" or even the homepage.

Talk about a GAN-do attitude... AI software bots can see through your text CAPTCHAs



I have a home-brew captcha on a not very important page that asks you to solve a fairly simple subset-sum problem and rejects you if the answer comes too quickly.

Come to think of it, for most of our purposes (not a commercially interesting target), I could probably just require that the form submission is more than 5 seconds after the page request, with no security feature at all.

'Cuddly' German chat app slacking on hashing given a good whacking under GDPR: €20k fine


You still need to have a stack of paperwork that is signed off by the company's DP officer. (Who in this case, or so the rumour goes, only found out aboút the passwords when the excrement-propeller distance was already critical.)

Basically, GDPR extends the usual Weinberg's Second Law from engineering to about as big an effort on top in paperwork.

Japanese cyber security minister 'doesn't know what a USB stick is'


Re: He actually sounds...

Famously, Donald Knuth has his email pre-screened and printed out for him. So here we have a highly-decorated comp sci researcher buried in the highest of accolades (last I counted, he has several dozen honorary doctorates) and yup, "this is not worth my time, I have underlings for that".

'The inmates have taken over the asylum': DNS godfather blasts DNS over HTTPS adoption


Re: "AND the header-level clues that DNS resolution is being requested."

And the volatile keys you need for ESNI to work are … :drumroll: in the DNS.

'The gulf between apps and infrastructure is blurring' says boss of DevOps darling Puppet


BRB, off to the trademark office…

because "appstrastructure" is going to be all over the sales pitches. Hyperconverged serverless deep appstrastructure as a service.

Time to party like it's 2005! Palm is coming BAAAA-ACK


Oh yes, Palms

I owned a m100 or two, and even for a non-business type like 20-year-old me,they were pretty awesome. World time clock, scientific calculator with plot function, room for an ebook or two, and apps to manage your die-rolling and tables for whatever RPG you currently fancy. And what feels like near-infinite service on two AAAs. It's amazing what they did on 160x160 b/w with IIRC single-digit MHz. (Or was it 16, re-clockable to 8-32?)

I keep wondering (but can't be arsed to do the back-of-envelope estimation myself): if you just made the "obvious and easy" upgrades: build chips with modern low-nm processes on lower voltage (but probably keep the speed and RAM levels), swap the display for 160x160 eInk, use LiPo batteries, how long would that run? A year on a charge?

Sur-Pies! Google shocks world with sudden Android 9 Pixel push



little bits of applications shown in context of other apps. I can see why it sounds enticing, but let's see how long before it fails in one of two ways:

- either it's an even-more-walled garden that G sells like ad space to "trusted" parties, so miraculously, my BongCineMaster ticket app won't integrate because G only likes (i.e. is paid by) GaaFlixDeluxe for movie tickets

- it's some sort of self-registration-by-app thing, and we get a cute new vector for ads and malware.

Insecure web still too prevalent: Boffins unveil HSTS wall of shame


Re: Fearmongering, Uncertainty and Doubt

You mean that certificate pinning which is already on the way out again (deprecated in Chrome) before it's even fully arrived (no support in Edge yet), because between short-lived certs and spare private keys, you actually need some amount of planning to deploy it reliably?

Mastercard goes TITSUP in US, UK: There are some things money can't buy – like uptime


Re: Is still happening

> transaction blood

I didn't know the readers were connected by SCSI (or wireless SCSI for the portable ones?), but things make a lot of sense now.

Google Chrome update to label HTTP-only sites insecure within WEEKS


Re: Shared hosting

Simple answer: the hosters want to upsell. It really really is that simple. I can understand that my hoster wants to push me from a 15€/yr package to a 36€/yr package that does less. They just have no lever at all, other than lack of certs, because my use case only needs miniscule resources.

How a tax form kludge gifted the world 25 joyous years of PDF


A beast of many things...

I've had need (or nerd, rather) to look at the specs at some point, and there's so many bewildering things in there... base95 (because why waste characters?), a freaking filesystem, because that's really what PDF is... I want to say there's special support for barcode-ish things in there, too, but I've not found it looking at the PDF1.7 ISO document.

I can see how they were convinced it would be a great step towards low-paper office workflows, if you go all in, all the way.


Re: Format of choice for immediate offline reading, easy sharing or simple portability

""It has been many years since I have heard someone say "Your PDF file won't open on my computer."""

Funny that, I've had two this year already. One was a form, intended for printout, that was built in Lice fickle Designer and used JavaScript to replace the text "if the form does not appear, use a proper software to view this" with an entirely non-interactive form; and the other is that one of the default Linux viewers still can't do transparency.

Yahoo! Kills! The! Messenger!

Black Helicopters

Re: Contact me on Oath Squirrel

Wasn't Oath Squirrel one of those top-secret Pentagon projects during the Cold War?

You have suffered without red-headed emoji for too long. That changes Tuesday


Re: At Dan 55...

… and aspies. Don't forget the aspies. I can't tell a difference between all those vaguely smiling emojis that are 12x12 pixels. Oh, is that one cocking its left eyebrow, not the right one? Is that supposed to make a difference? Frankly, needs tooltips. Or else, where do I petition for a font that actually renders stuff as ":smile:", ":wink:", ":eggplant", ":poo:"?


Seems kinda hard to implement…

I like how the reference picture shown for "smiling face with three hearts" shows four hearts.

Storm in a teapot: Anger brews over npm's jokey proxy error messages


Re: Back to school with you!

"our skilled consultant"? Is that the sequel to "my little pony"? Repository is magic!

PGP and S/MIME decryptors can leak plaintext from emails, says infosec professor


Re: It seems it's a vul'n in HTML parsing in some clients

Of course, that is a wonderful piece of FUD BS in itself: "The problem is in the mail client implementation, and neither in the encryption implementation nor in the protocol, yet our implementation is OK (unless it isn't, in which case it's definitely not our fault), and the other protocol is vulnerable."

Your software hates you and your devices think you're stupid


Help me with my latin here…

"tuitive", same root as tuition, so it means "teachable", or, I guess "learnable"? Says the right thing about in-tuitive things, really.

You love Systemd – you just don't know it yet, wink Red Hat bods


Re: Process 1 IS complicated.

> Now let's see does audio come before or after networking (or at the same time)?

That depends on your combination of the Conflicts, Before, After, Wants, WantedBy, Requires, RequiredBy, Depends, Needs, NeededBy, PartOf, Contains, Encompasses, and LikesCuddlingWith directives, and I think I only made three of those up, and good luck guessing which of these go into the Unit section and which into the Service section.

Frankly, systemD's abominable configuration scheme needs to be thrown away, shot, buried, and replaced with more structured methods, because the thesaurus is running out of synonyms.

NetHack to drop support for floppy disks, Amiga, 16-bit DOS and OS/2


The young ones may be sidetracked by Cataclysm: Dark Days Ahead, which has a crafting system that makes NetHack's alchemy look simple. And zombies.

BOFH: We know where the bodies are buried


Re: Where the bodies are...

These anti-static carpets become filled up with static, so regular replacements are needed. Just like inkjet cartridges, only the other way around.

Google accidentally reveals new swipe-happy Android UI


Re: Discovery is a problem

Aren't you supposed to touch smarter, not harder? (That's what she told me anyways. After complaining my UI element wasn't very discoverable. But I digress, and this is not SFTW,S? anyway. I shall get my coat.)

Modern life is rubbish – so why not take a trip down memory lane with Windows File Manager?


Re: OMG can I say SQUEE?

The bottomless pit interface broke both those functions of scrollbars anyway -- get too close to the bottom, the new 20 twitbook journal entries will move the slider away from under your pointer, resulting in a huge jump when you next move it.

Yes, I would sincerely not be surprised if they broke scrollbars for everybody everywhere because twitter et al broke them in the browser.

Linux Foundation backs new ‘ACRN’ hypervisor for embedded and IoT


"rich I/O mediators"

Remember when those were still called "consultants"? I feel old now…

Windows 10 to force you to use Edge, even if it isn't default browser


Re: Testing waters

It's actually the second one – if you use the spotlight screen saver and ever click on the trivia teaser, you'll be taken to the edge.

Mozilla wants to seduce BOFHs with button-down Firefox


Weird timing

Odd timing, when the existing ESR still is old-style. Hooray, you get both the fallout from all the extensions breaking¹ and the teething problems in the mgmt functions, at the same time? Oh, and I have to opt in to your marketing spam? Sign me right up, sounds like a spectacular deal!

¹ and given the noise the affected users will make, it doesn't matter if 83% of overall install base got compatibility updates, or whatever the figure is.

Look! Fitbit's made a watch that doesn't suck!


Re: Four days!

Yeah, but these are marketing 4-days, which hopefully means you confidently get a full day even with heavy use, whatever that is for a watch.

Stanford brainiacs say they can predict Reddit raids


Mildly disappointed…

Going by the headline, I thought this research would have involved cases of fake emergencies triggering SWAT?

(I can totally see "we use AI and blockchain to [try and, ed.] detect people who will become upset enough to do these things, give us venture capital. (Sorry we were late on that suicide prevention AI party.)" happening.)

Slack cuts ties to IRC and XMPP, cos they don't speak Emoji


Re: There you go

For a moment, that tried to parse as a composite noun, and I'm boggling where else you can vomit from. Though it occurs to me that "arsevomit" has a nice ring to it, as in "the new change approval process is a stinking puddle of arsevomit". I wonder if I can hire Richard Ayoade to say "arsevomit", it feels like a very Moss phrase to use.

Batteries are so heavy, said user. If I take it out, will this thing work?


Re: Its powered by magic fairies and gnomes

> at 5.0ppm each evening

5 parts per million is a waaaay too low BAC for somebody in IT. Are you sure you're not holding it wrong?

(I fully expect somebody to pipe up and tell me how much ppm of ethanol there are as byproduct of regular working of the chemical factory we call human body.)

Shock horror! Telegram messaging app proves insecure yet again!


Re: 'In keeping with current trends'

> The worse part is, if only hackers put 1% of their talents towards something positive.

What makes you think this isn't happening? There's lots of creative and brilliant minds out there working for "something positive". You just never hear of the person who wrote the code that lets you use assistive technologies to log into your Mac (because it's not "One more thing"), or who's letting the JS doing protein folding instead of coin mining.

Epic spacewalk, epic FAIL: Cosmonauts point new antenna in the wrong direction


That'll teach them…

… to use a USB connector for the antenna. At least us mere mortals only need to crawl under the desk for a bit of the old "pull it out and put it in the other way" to get things to work, no space suit needed.

Today in bullsh*t AI PR: Computers learn to read as well as humans (no)


Let's face it,

we've all done a helldesk session or two, we've all met those users. Whatever the merit of current "AI", it can't be worse at understanding and executing a lavishly illustrated step-by-step guide on how to set up out-of-office replies.

Flying on its own, Thunderbird seeks input on new look


I think this needs to be called "Product Already Not That Stagnant", because that matches the majority reaction quite nicely.

Let's Encrypt plugs hole that let miscreants grab HTTPS web certs for strangers' domains


Let me just point out the affiliations of the authors of the spec: Cisco, EFF, *Let's Encrypt*, UMichigan.


Re: If your company is really serious about HTTPS security, you will not be using Let's Encrypt

> In any case, CAA was created to stop *rogue* CAs from issuing certificates (or more precisely, to stop those certificates from being accepted by clients).

Um, no, on both counts. A client (e.g. browser) is not in a situation to find out which CAs were authorized to issue certificates for my domain many moons ago. (Remember, current legal lifetime of certificates can exceed 36 months.) And even if it was, it wouldn't do it – already we have things like OCSP stapling, because you really don't want to have extra validity requests to a third party with every outgoing request.

A CAA record is an advisory measure from the entity controlling DNS to the CA if it is supposed to issue certs. (Browser Forum etc. make it pretty much a mandatory best practice, but that's social/legal and not technical. Nothing stops a malicious CA from issuing anyway, hoping they will be undetected. To expose them, you not only need the public ledger of issued certificates, you also need a public ledger of past DNS states.) CAA is mostly about impersonation attacks, where mycompany.com forces you to social-engineer the CA of their choice into giving you a certificate, and not Mom and Pop Best Certs & Fried Cat5fish.

Self-driving cars still do not exist even if we think they do


"Click 'I Accept' and your troubles go away."

Hey, I think they tried to teach me about that in Sunday school. No coincidence it's called a "submit" button.

(Have we had a campaign to rename those yet? Actionators maybe? Though come to think of it, the person in front of the screen being a humble supplicant to The Machine is more true now than ever.)

Firefox to warn users who visit p0wned sites


Re: Until we can breed more clueful users...

Don't even get me started on the browser cancer that is removing part of the URL from display. One of the stupid bass-turds even removes a leading "www.", regardless of whether the result will work, and only copying the URL will get you the actual thing, protocol and full server name.

Eh, where's my pills…

Sure, Face ID is neat, but it cannot replace a good old fashioned passcode


The oh-so-secure enclave

Unfortunately, in about two years, people will complain that their new iToy needs to learn their face all over again, even though "the old one recognized me perfectly"; also, the iBigscreen device will not recognize the user by face even though it's linked to the same iTunes account, so the facial fingerprint (i.e. the fine lines in your facepalm) will move onto the iCloud servers that are iAbroad under a different iJurisdiction at the behest of iMarketing.

The day I almost pinned my tushie as a Google Maps landmark


What a good opportunity that would have been to turn your posterior into a Egréss Go! arena, though I guess a dodgy mystery kebab will do that just as quickly.

There's a way to dodge Fasthosts' up-to-160% domain renewal hike but you're not gonna like it


Re: Price gouging.

Eh, depending on legislation in your country, you might need to defend your trademark (by making sure nobody gets the domain in other TLDs) to keep it valid. Yes, still price gouging, this time endorsed by the lawmakers.

Java security plagued by crappy docs, complex APIs, bad advice


Re: Remove MD5?

It's probably worse — there might be some HashFactory abstraction which in absence of explicit settings either is documented or required-by-compatibility-with-Java-1.1 to use md5.

And nobody will set the hash function explicitly, because setting "SHRMBLFRZ-312-CBC-NSA-712" might not work in the previous or next release, and then it's either a hardcoded magic value or a config setting that must not be changed on pain of invalidating all pre-existing hashes. (Yes, there's probably a IAbstractHashFunction interface implemented by nobody, and a AbstractHashFunctionFactoryFactory that would use it, but since nobody will be able to see what the code is doing between the architectural boilerplate, everybody will just call the static function hidden in a util package somewhere that it boils down to.)

And also, no, if somebody asks for a general "along what lines do I get this to work", I wouldn't explicitly set a scheme either, or hand-hold them through all the exception handling. Reading comprehension is required.

Dome, sweet dome: UAE mulls Martian city here on Earth ahead of Red Planet colonization


Re: Just curious

> Which direction do you pray to Mecca, when you're on another planet?

You'll be unsurprised to hear that there's guidelines on this (though, I guess, how relevant these guidelines are always depends on how you feel about the group that issued them): https://www.wired.com/2007/09/mecca-in-orbit/ quotes a report approved by Malaysia's National Fatwa Council in 2006 that seems to boil down to, in order of preference, "1) the Ka'aba, 2) the projection of Ka'aba, 3) the Earth, 4) wherever".

Microsoft sets the date for Fall Creators Update


Re: This is a UK site

> Apparently it's Microsoft that believes this is Planet America.

:shrugs: There's no Android Pandan Cake yet, either, and there were some interesting bugs in Fedora for the version codenamed Schrödinger.

That virtually impossible classic compsci P vs NP problem is virtually impossible, say boffins


While we're nitpicking, and oh boy, is it needed, because in the past weeks of reporting, I have not come across a single reporter that got P and NP right (at least I've not seen anybody say "non-polynomial"), problems that are in NP but not NP-complete only exist if P!=NP. Actually, hang on, the full and empty languages are trivially in P but you don't really have morphisms into them from proper problems, deterministic polytime or otherwise, so yeah, non-NPC problems do exist, even if P=NP, but not in the way I assume you intended.

(And certainly, somebody will now point out that I've got the direction of the morphism wrong.)

Connect at mine free Wi-Fi! I would knew what I is do! I is cafe boss!


Re: Smart intercoms/bells are a good idea, that are usually badly implemented

I remember that about twenty years ago, I worked in a rather large estate, and the doorbell/intercom was connected to DECT handsets. Fairly useful, that. Even moreso once the answering machine doesn't answer the intercom after the fifth ring.

(Icon because it seems to be the closest to "old fart" there is, well, or the "flammable" one?)


Biting the hand that feeds IT © 1998–2019