* Posts by Bitsminer

36 posts • joined 13 Sep 2017

Germany tells America to verpissen off over Huawei 5G cyber-Sicherheitsbedenken


Huawei is not a risk? Not true

Of course Huawei product (including software) is a risk . Same as Microsoft Windows is a risk. Anything as complicated as 5G or MS Office will have hundreds of possible bugs. Therefore: risky.

Risk is about the future. "Proving" absence of risk is impossible: you can't prove anything about the future, such as the absence of unwanted outcomes. (My favourite definition of risk.)

Pretending their product is not risky (in the sense of: unwanted features, exploitable bugs, serious architectural or design flaws, or simple coding errors) is unrealistic. However, politicians like to simplify. So, simplistically, "low risk". Whatever category of risk you like to be low, there you are.

Roses are red, this is sublime: We fed OpenAI's latest chat bot a classic Reg headline



Jack Clark, policy director at OpenAI, said the content could potentially "generate misleading news articles or impersonate others online".

The original data came from Reddit and you are surprised at this? You are funny.

Roses are red, so is ketchup, 'naked' Huawei tells its critics to belt up


Just like Windows?

"It's like Windows software as well. The legacy code base keeps building up"

So, Windows had 36 remote code exploits this month, which means of course they have lots of back doors. They just haven't found them all yet. When they need one you know that they will find one.

Huawei is a risk. Just like Windows is a risk.

Things that make you go .hm... Has a piece of the internet just sunk into the ocean? It appears so


"just north of Antarctica"

It's an old joke. A bear walks by, and everywhere he looks is "south". Where is the bear?

Answer: The bear is at the north pole.

So, just north of Antarctica, in the direction of......where? Everywhere is north of .aq!

Huawei pens open letter to UK Parliament: Spying? Nope, we've done nothing wrong


Risk is not solid evidence

"they have never substantiated these allegations with solid evidence"

Risk is not about evidence. Risk is about the future, and the future is unknowable. However, being human, we like to think we know something about the future and so as not to look too stupid we call it "risk management" instead of fortune-telling.

Huawei products are a risk because their products might be re-purposed to hacking, nation-state-spying, or telephone sanitizing. Same with Nokia or Ericsson kit.

The question to be answered is: Do the Chinese state actors, with their very personal connections to the allegedly private Huawei corporation, pose a significantly higher threat than Finnish state actors with their strange language and preference for naked saunas? Well? Which is it?

Good news! Only half of Internet of Crap apps fumble encryption


D-Link might be good guys?

They updated firmware on one of my IoT things last month. It was two years since last sale (the product has had two replacements with new model numbers issued since.)

After some quick googling I couldn't find any published reason or bug reports.

Sacked NCC Group grad trainee emailed 300 coworkers about Kali Linux VM 'playing up'


Re: they should have simply swapped out the laptop

Er, s/laptop/lusr/g


(Turns out they did after all).

Bordeaux-no! Wine guzzling at UK.gov events rises 20%


Re: Canada?

Yep. But production is tiny. One vineyard in Chile is larger than all the vineyards of British Columbia together.

(About 4000 ha/10,000 acres)

It's really good. And we're not sharing!

Linux kernel Spectre V2 defense fingered for massively slowing down unlucky apps on Intel Hyper-Thread CPUs



Reliability and trustworthiness now has a spectrum of options to be selected. Get it wrong and get pwned!

X86 = Special Executor for Caching Troubles with Revenue Extraction

Solid state of fear: Euro boffins bust open SSD, Bitlocker encryption (it's really, really dumb)


Re: Drive firmware updates?

Can happen. Dell, as an example of this, publishes update packages that go through every drive in a raid controller updating the firmware. Offline of course. IIRC the firmware is signed.

Worrying Windows 10 wrecking-ball weapon weirdly wanders wildly on worldwide web


new Microsoft slogan

"We're not happy until you're not happy."

"Borrowed" from Air Canada.

Forgotten that Chinese spy chip story? We haven't – it's still wrong, Super Micro tells SEC


Latest from Amazon...

Amazon announces their latest book, by Xi Jinping:

"If I Did It"

Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?

Thumb Up

A couple of other points

...because similar motherboards were in use "in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships."

Uhhhh, nope. Chinese-manufactured motherboards cannot be sold to US governement agencies, especially military or intelligence. Stuff has to come from one of a trusted list of countries called TAA (Trade Agreements Act, FAR 52.225-5). China is not on this list.

Just try to find a disk drive not made in China. Thailand maybe? Been there, had to find that. Did.

..."the middlemen would organize delivery of the chips to the factories."

Wow. Just wow. This is classic misdirection. The Intelligence folks are trying (and largely succeeding with Bloomberg, el Reg, WaPo, etc) to focus attention on one vulnerability, namely surreptitious factory modifications. But there are more, so many more. A few hints:

o Connectors. Yes, those boring black thingies with wires going in, and out. Embedding a chip within a connector requires no BMC changes, is difficult to check even with Xray, and completely unobservable. And since there is exactly one connector model that fits in exactly one place, no wastage. Profit!

o Firmware "adjustments" as many others have suggested. But where? Not just SMI flash but ... power supply flash. RAM controller firmware. CPU firmware. Or simply radio transcievers embedded in the board (or connector) that introduce firmware changes at boot time. (Where is the transmitter? Hmmm...maybe power supply RF emissions?)

o Known zero-day vulnerability in....CPU (obviously), BMC firmware (also obviously), but: Ethernet chips, memory controller chips (like RowHammer), PCI bridge chips, etc

o NSA black bag ops. However, at the scale of Amazon, Apple, etc, probably not cost effective. Except see my next point.

One thing not mentioned by El Reg, is the scale of procurement by Amazon, Apple, etc. Unless merely for development purposes, these companies purchase servers by the container-load (where the container is pre-loaded with racking, switches, power, servers, etc). Thousands of servers per container. The assembler might be persuaded to mung things up. It seems a remote possibility but the supply chain risks at this point (well after the motherboard factory) have not been addressed in the press that I can see.

+1 for El Reg and very well reported. Thanks.

UKIP doubled price of condoms for sale at party conference


Not for me

I wouldn't stand for it.

Database ballsup: NHS under pressure over fresh patient record error


Only two sources of truth?

Surely this can't be right. Dig a little deeper and there should be another ten or twenty databases and applications with patient or medical or facility data. NHS is an old bureaucracy.

Trio indicted after police SWAT prank call leads to cops killing bloke


Re: Officer could still face charges

Umm. Violation of his civil rights.

Even the 4 cops that assaulted Rodney King got charged with that one. And King didn't die of the beating.

Brit Attorney General: Nation state cyber attack is an act of war


Imminent threats

"or present an imminent threat of"

Well. Google "phases of cyber" and you will find 5, 6 or even 7 phases. Let's take the shortest:

1. Reconnaissance

2. Scan

3. Exploit

4. Persist

5. Exfiltration

Item 6 would be "echo 1 > /sys/dev/reactor/meltdown/begin"

Item 4 would be evidence of an imminent threat. Would the Minister nuke the russkies for installing a backdoor?

The difference between cyber espionage and active cyber ops is a keystroke. Deal with it.

Wah, encryption makes policing hard, cries UK's National Crime Agency


Re: Ridiculous!

I see that you included


On your ban list.

But TSB....never mind...

Symantec shares slump after revealing internal investigation


"Revenue reached US$1.222 billion, up ten per cent year-over-year.

CEO Greg Clark was pleased that the company’s annual enterprise sales crept up one per cent and happier still that consumer sales grew by six points..."

Ummmmm....if two segments are up 1 and 6, how does the total come up 10 percent?

I think some arithmetic is amiss.

How 'parasitic' Google's 'We're journalists!' court defence was stamped into oblivion

Paris Hilton

So there you have it

Google is officially parasitic.

SpaceX's Falcon 9 poised to fling 350kg planet-sniffing satellite into Earth orbit


"NASA boffins hope Musk's firm doesn't make a mess of TESS"

I see El Reg still has its headline writing AI in beta. Deep beta.

Sysadmin wiped two servers, left the country to escape the shame


Re: Incremental backups?

"ISO 9001 only specifies that you have a process and follow that process in a documented fashion. It doesn't specify that the process has to be any good or have any value."

We are ISO 9001 registered. We can repeat our mistakes exactly.

If you've got $1m+ to blow on AI, meet Pure, Nvidia's AIRI fairy: A hyperconverged beast



$3,000 for an Arista 100G switch? Think again.

Citizen Lab says Sandvine network gear aids government spyware



The report is a useful example of attribution. Can't blame the Russkies or Norks here.

Blame Canada: "Ontario-based networking equipment company Sandvine".

Slingshot malware uses cunning plan to find a route to sysadmins


State-sponsored and only a few hundred infections?

Seems like a typical govt mess: $ per victim is huuuuge just huuuuge.

On the other hand, six years under the radar and only found accidentally.

Seems like there are varying degrees of sophistication even from the "same" "actors".

Arista almost done with Cisco workarounds as revenue and profit soar


Stock price bounce

Arista's stock price has been bouncing +/- 20 percent the last few days. A day-traders dream.

Arista is basically eating Juniper's lunch.

Pour yourself a tall one, Juniper investors. It's lost money again


Arista is eating their lunch.

STOP! It's dangerous to upgrade to VMware 6.5 alone. Read this


I remember VMS

Back in the days before rtfm was a word....

The boys in the project down the hall paid several kilobucks for an in-field upgrade of the VAX-11/780 to a dual processor '782. Downtime was about 4 or 5 days while the extra cabinet was bolted on.

And then came time to boot up. It didn't.

After a couple of days on the phone, tech support asked what version of VMS was installed. Oops, should have upgraded the software before doing the hardware! VMS 4.1 [iirc] doesn't support SMP! Meanwhile 10 programmers were stuck reading magazines and wandering the hallways.

[In those days, one CPU at 0.005 GHz could support 10 coders on their VT100s.]

NASA is pretty pleased with its pulsar-sniffing intergalactic GPS tech


Re: Any benefit

The current tech can only precisely determine the distance to earth. The are 2 more dimensions needing to be measured. Instead, a few x-ray pulsars across the sky allow eventual precise determination of position. It might take a few days each (pulsar) to be sure of the timing.

And the detectors are only a few kg and half a metre across. Much smaller than the current antenna for comms back to earth. The AE-35 is not required.

On a higher level, this enables, or requires, a more autonomous spacecraft. AI, you know.

Remember those holy tech wars we used to have? Heh, good times


Theo vs Linus


And of course it's all about security. And m10g m5s.

Guilty: NSA bloke who took home exploits at the heart of Kaspersky antivirus slurp row


More humor

This was obvious in hindsight ... come to think of it, I'll put that on my tombstone.

In hindsight, won't you be dead? How, then, do you put it on your tombstone?

Re- they don't employ morons in the NSA.

[Citation needed]

Does an axiom need a citation?


TAO is official

Is this the first official acknowledgement that TAO exists?

Car trouble: Keyless and lockless is no match for brainless


"I dread replacing my 25 year old Volvo with a current model. Too much technology for technology's sake."

The battery on my early 1990s BMW 535 lasted...12 years. It was quite the surprise at the dealership when they told me it was a factory original.

A friend with a recent X5 had to surf YouTube to find out how to log into his car's firmware to tell it that he was changing the battery.

YMMV. Your patience will vary too.

Equifax CEO falls on his sword weeks after credit biz admits mega-breach


Ethics statements fell very very flat

Have a read of the Equifax employee ethics standards (page 21 and page 22). A lot of corporate fluff about preserving IP and being careful not to expose confidential data and care with relations with customers. Paying customers, that is.

Absolutely nothing about the care and protection of personally-identifying-information. PII. Which is their whole business.



Re: Not going to receive his bonus

Bonus? Why? He gets $USD 18,477,100 for retirement. (According to the company 2017 proxy statement.) That is almost the least they can give him (it's $100k less if they actually terminated him but that is probably chump change compared to litigation costs).

There are also vested stock awards; unlikely, I think, that he will get much out of those.

El Reg is hiring an intern. Apply now before it closes



>We pride ourselves on Biting The Hand That Feeds IT.

First task should be to rewrite the slogan. Some suggestions to get them started:

- Slighting the bland that gives two fleas

- Blaming the blight on B2B

- Making the slight seem all too wee

And so forth.

If the quality doesn't impress, pay them something.

Biting the hand that feeds IT © 1998–2019