Posts by James R Grinter

Re: revolting restaurant more like

When I visited (2015? It was some anniversary or other, and there was a ballot to get the opportunity to visit and dine there), it was being run by Searcy.

Had a nice lunch, as we were slowly rotated.

Even Beckton Ski Slope (nee Beckton Gas Works) doesn't really look like a ski slope now: these days it’s just the Beckton Alps, again.

Re: Don't keep repeating a lie

Belkin acquired Linksys off Cisco back in 2013.

https://www.theregister.com/2013/01/25/belkin_buys_linksys/

Re: As a small developer

Not to mention developer tools, libraries, operating system updates.

There’s a prevailing attitude (possibly because so much software *is* free at the point of access) that it must cost nothing to provide it.

Which is ironic when application developers are complaining about sharing any of their income with the app store providers.

I would expect to see any “third-party” app stores being obliged to pay royalties to the platform developers/owners, or else the app developers having to agree financial terms with same. Be careful what you wish for, etc.

Re: Not shocked

It acquired its OpenGroup Unix certification in 2007, a mere 6 years after public launch, Mac OS X having little technology in common with Mac OS 9 and earlier.

(though a bit longer than 6 years if you were to include the NeXTStep origins, but I’d argue that would be misleading because a lot of work was done by Apple specifically to be capable of passing the certification. Even then, they never attempted to deny its BSD underpinnings either).

Re: No "AIX vegans" I presume

Clever people those IBMers. It's easy to spot in any hex output, and if you ever see "0xdeadbeef" in your pointers then you know you've got something wrong.

(Someone has it that it's a play on being 'dead meat' if you end up with a pointer into unallocated memory. But I hadn't heard that before.)

Re: Doing it wrong

If we want to spit-ball possible risks, perhaps you aren’t trying to exfiltrate data, but infiltrate the physical location? What if you could flash a QR code that made the camera keep transmitting an old image, or just go off line for a bit, or something else carefully planned.

Don’t even need to have the camera on the Internet to ensure that regular software updates are applied, any of which could introduce new features, because your organisation security policy undoubtedly requires you to keep software up to date. Especially if they fix disclosed vulnerabilities.

Re: Fuck Google harder

Got to fund the development of the new releases, for existing phone owners, somehow.

Re: What do we want? Static typing!

It’s a problem a developer may not have, but you can bet the users will encounter it (unfortunately they won’t know that’s why the page is entirely blank or unresponsive).

Re: Back to the past

Common to a number of London offices of investment banks and, as I understand it, all the fine work of the same person.

Re: Curious target audience

A lot of dev teams, particularly those who use containerisation in production, will use Docker Desktop as a means to get the run-time Docker tools onto their developers’ machines, to stand up a local copy of their own software for development and debugging. Images for deployment would be built by CI systems (with Docker build, or kaniko, Buildah, etc)

But, as someone else said, it’s a hard task to sell software that is perceived as “free”. Docker Desktop will be a ground-up choice (development teams making their own lives easier) rather than a business-led choice (a technology that improves the bottom line), so if there’s little or no development tools budget - or it has already been allocated to IDEs - then Docker will be SOL.

(I personally wouldn’t begrudge paying for Docker Desktop for Mac if they’d integrate networking on macOS. Having to manually configure and run “tap” is a big annoyance)

it’s been a long time since I was actively following this case, but as far as I know the entity calling itself SCO was always unwilling (unable?) to actually divulge this. It was always the nebulous umbrella term “Intellectual Property”.

Re: Linux proves that doesn’t work

Back in the day, we systems programmers built almost every third-party tool ourselves from source. Even the C compiler. But we sure as hell weren’t reading and comprehending all the source, not even checking for common sources of mistakes (printf without format args, popen calls, etc), and you’ve only got to recall Ritchie’s seminal paper Reflections on Trusting Trust to see the elephant in the (GCC) room.

Software is necessarily more complex these days because capabilities are higher and we demand more, and that will almost always involve many more third party dependencies, which in turn may have more. That cat is not going back into the bag, because it’s just not feasible, or wise - trivial string padding routines aside - for a development team to rewrite all those themselves (crypto, maths, graphics, UI, kernel, etc).

The solution isn’t to ditch the “uncontrolled” open source dependencies, either, and go back to commercial (commercial C++ libraries were all the rage in the 90s and early 00s), because we’ve seen with SolarWinds, Kaseya and many others that if you’re a high value target you *will* get attacked and compromised at some point for leverage into other networks. You need to have in place methods to prevent, mitigate or detect it when the time comes.

Re: Tenant isolation ?

At the end of the day, it’s the “configuration vs. customisation” debate. It’s the same thing that gets you stuck on an old release, unable to upgrade because you’ve tweaked it up the wazoo and no one who knows how it works is still working for you (or, those that are, know better than to want to get involved).

ServiceNow, with their SaaS workflow, were already having that challenge with customers over 10 years ago, and as far as I know (I’m no longer working in that orbit) they’ve addressed it by being more restrictive in what you can change/how you can change their stuff.

Re: Not all is well.

Serverless is essentially “I don’t have to patch the OS”.

Which is actually quite an attractive idea, tbh. One less thing to have to keep an eye on, if you’re confident your vendor has the capability. Gripes with AWS aside, I think we can agree that they do.

Re: Might want to check your facts...

My understanding, reading between the lines and knowing the APIs available, is that they’re both transmitting BLE messages and also registering to listen for them. You might know this as iBeacons.

You can listen for Beacons from your family in the background, the OS APIs make it easy and battery friendly.

You can’t transmit beacons in the background so easily, transmitting also requires more power.

Re: Change Manglement

It isn’t the usual description of IT Infrastructure Change Management, but who knows how the “business” IT has chosen to use the term.

ISTR NatWest’s forays into investment banking played a part in their downfall.

“ in 1997, NatWest Markets, the corporate and investment banking arm formed in 1992, revealed that a £50m loss had been discovered, revised to £90.5m after further investigations.”

Wikipedia also reminded me that they’d tried to do a merger with Legal & General, which went down like a lead balloon, and seems to have been the final straw.

All worked out well for RBS, in the end, eh? ;-).

Only thing Sophos ever quarantined on a Mac, for me, was an old, spam, mailbox file that apparently had some Word doc attachments containing Windows-only macro viruses. And that was on an external disk I was copying to another. ¯\_(ツ)_/¯

Re: Chicken or Egg

Particularly as there are a lot of SERPs out there throwing up code samples from existing open source projects (and, sometimes their unit tests are the only place to find an API example.)

Brodies’ Elizabethan

Was officially 22%, though when it was still being drunk a few years later it’s hard to say. It was very nice, though.

Stuart Howe, then of Sharps, did brew his Turbo Yeast Abomination from Hell, https://brewingreality.blogspot.com/2010/01/3-turbo-yeast-abomination-from-hell.html, I did get to try some but I don’t remember what it’s final gravity was.

Re: IWF Handwringing

A lot of TLS web sites are hosted on shared services these days: think anything on AWS S3, for example.

There’s separate work going on to prevent them being enumeratable (i.e. to prevent the domain names being disclosed via the certificate when you connect to them)

This will lead to some suggesting the answer is to “man in the middle” every TLS connection, I’m sure.

Clearly the board exist to oversee the operation of the foundation and are not product managers of every single (or any, unless they happen to be) Apache Project (as you note, there a lot. More, if you include those in incubation).

Projects are managed by Project Management Committees (clever play on words, there), take it up with them - or join them!

Re: This is not the Macbook Pro with the butterfly keyboard.

The Mid-2015 McBook Pro (the model involved in the recall) does not have the “butterfly” keyboard.

It was introduced on the lightweight MacBook of that era.

Re: Chinese bikes already here

Ofo went ages ago. Any you see now are in the hands of local kids and scallies.

Re: Is it just me ?

How automated are those gates? Anecdotes I’ve heard suggest they are very reliant upon humans looking at multiple screens.

Re: If everything's encrypted, what's the problem?

If you have the server private key then you can decrypt the captured TLS sessions (including at a later date, e.g. if you steal that key), *unless* they use a cipher scheme that implements perfect forward secrecy.

Then you can’t.

But you certainly can’t break TLS just by sniffing the packets as an independent observer, unless you can “break” the maths behind DH.

https://security.stackexchange.com/a/42350 has a pretty good explainer

Re: "but it also treats mobile users like adults capable of making their own decisions"

Yup, and I’ve seen comments elsewhere on this debacle to the effect that one should be able to consent to what Facebook was doing (“if they pay me enough”, said someone)

But IMHO there’s no way they can obtain legitimate *informed* consent from an average user. With the installed root cert and a VPN Facebook were in a position to read *everything* between the phone and any other TLS protected service that wasn’t using certificate pinning (and probably break those that were), riding roughshod over security best practices, laws, and user agreements.

Not just source code

Not everything posted to github, gists, or pages, is code.

It’s quite possible for them to end up hosting dubious or illegal content, or just something that is objectionable to another.

Re: Ticketmaster should be financially responsible for card replacements

Indeed, they may well be getting a less favourable transaction fee now. Unfortunately we’ll end up paying it in “booking fees”.

(In my case it was my Amex card number that got stolen, but it only came to light after the subsequent BA incident. I haven’t flown with BA in years but it seems someone started testing the numbers they had to see which were still working... it’s good to get alerts on card transactions!)

Re: Wild West Days

Is that you, Fis?

Re: Other mobile operators around the world are also affected?

SoftBank did. Presumably they were running one of the old software versions too.

Re: easy pickings

Its actually a good procedure (or would be if they’d done it intentionally) - the returning person may not be doing the same job as before so giving a new account name can avoid giving access they used to have but no longer need.

Re: Paul Vixie is correct

The malware authors are gonna love this new feature, as a way of avoiding even their C&C lookups from being seen.

I've never lost out as a result of fraudulent transactions on any credit card and there have been a few over the years (I don't think I've ever had my debit card ripped off: I don't use it anywhere but ATMs.)

It's just the inconvenience of having to get cards replaced, but Amex were quick (reported Saturday, arrived Tuesday) on the last occurrence - which was probably the miscreants testing cards stolen via Ticketmaster but after the BA hack and publicity.

Re: Missing from the press release -- CVV status

Co-inky-dinkly, my Amex card just got abused last night. At least twice, before I was able to make the call and get it blocked.

Nothing massive, just a couple of online services taking a preauth - possibly an abuser “testing” the numbers. Now I’ve not flown BA for a while: I probably have used that card number with them in the past, though it would be a different expiry and CID.

But there’s a few other orgs that held that card’s details, at least three of which are “big enough” to have been storing numbers themselves instead of a third party system. I hope none of them have been hit, for that would be very messy indeed.

Re: Machine learning.

Adversarial attacks on machine learning are the new hotness!

Here’s an idea: develop or improve some video encoding software, get lots of folk using it, and then flip a switch. Now everyone’s uploading “terrorist content”.