* Posts by Mike Dimmick

168 publicly visible posts • joined 28 Sep 2009

Page:

UK code breakers drop Bombe, Enigma and Typex simulators onto the web for all to try

Mike Dimmick

Re: Explain like I'm five ..

The core of the rotors is not permanently attached to the ring around the outside with the letter indicators. Instead there is a dot marking position 1, and a spring-loaded catch that allows the letter-ring to be rotated so that the dot can be positioned at a different letter. The 'rotor ring setting' is the letter pointed to by the dot.

The 'rotor initial value' is then the letter that is chosen by the operator for this rotor, for this message. After installing the rotor into the machine, the whole unit (core and letter-dial) would be rotated using the thumbwheel on the edge.

Why have an adjustable 'ring setting'? It allows the same initial value to be used on consecutive days, but actually mean a different enciphering setting. It also allows the changeover position - where the wheel causes its neighbour to rotate - to be moved relative to the wiring: the changeover position is at a fixed place on the letter wheel rather than the core.

HMRC: We 'rigorously tested' IR35 tax-check tool... but have almost nothing to show for it

Mike Dimmick

Re: Were...

That repository is informative. Looking at the unit test folder https://github.com/hmrc/off-payroll-decision/tree/master/test/uk/gov/hmrc/decisionservice/ruleengine it's clear that the software implements a rules engine. What the decision actually *is* is driven by a set of rules files.

Those rules files are found in e.g. /conf/tables/1.5.0-final, which in turn are a translation of the Excel spreadsheets found at /docs. Looks like the civil servants update the Excel sheets, the developers transcribe them to CSV. I've done that before because Excel isn't particularly automation-friendly and end-users have a tendency to break the sheet format, breaking the importer.

Now, there should have been some form of end-to-end testing carried out to ensure that the software does correctly implement the rules as indicated, and the results of that testing should have been documented. They may have been overconfident that the rules engine actually implements the rules correctly. None of this ensures that the rules themselves are correct - that's down to whoever's doing the spreadsheets.

Microsoft works weekends to kill Intel's shoddy Spectre patch

Mike Dimmick

Re: "which The Register broke on January 2"

The other way to spin it is that The Register risked everyone's security by not practicing responsible disclosure and waiting for the vendors to get their patches in order - which Google Project Zero, not known for giving vendors extra time, were doing. Cue massive scramble and release of patches with problematic side-effects.

I think the editorial staff here need to take a good look at themselves.

OK, Google: Why does Chromecast clobber Wi-Fi connections?

Mike Dimmick

I presume this is some form of timer that the OS stops when the Chromecast is sleeping - but then runs the timer handler for every 'missed' timer event when it wakes up. Therefore if it's been asleep for a minute, you'll get three attempts - but if it's been asleep for a week, you get 30,240 (= 3 x 60 x 24 x 7).

Meltdown/Spectre fixes made AWS CPUs cry, says SolarWinds

Mike Dimmick

Re: I don't get it

It could be that they had not previously enabled Process-Context Identifiers (PCID), or possibly the virtual machine manager allowed it to be virtualised.

PCID is a relatively recent x86-64 addition. The PCID is a tag against the Translation Lookaside Buffer entries that acts as a filter, saying 'this TLB entry belongs to this process'. The hardware will only use a TLB mapping if the tag matches the current process's tag. This allows the TLB to contain mappings for multiple processes or contexts.

Traditionally, on a context switch between processes, the whole TLB had to be flushed, all entries discarded (or marked invalid). That meant that for the initial memory accesses that the process performed, including the instructions to be executed, the hardware would have to walk the page tables to find the mappings from virtual to physical memory, even if it was something that the process had recently accessed the last time any of its threads ran.

With PCID, the OS doesn't have to flush the TLB on a process switch - only if it's reusing a PCID value from a different process. It can selectively flush entries for a process if it's changing that process's address map, using the INVPCID instruction. This would normally happen in response to a page fault exception.

You can mark pages as global in the x86 architecture, which means that when you switch to a new process context - register CR3 changed to point to a different set of page tables, causing a TLB flush - the TLB entries for those global pages are retained. Since it's common that the incoming thread was already executing in kernel mode - for many workloads the thread is blocked on a kernel operation, not having been pre-empted in user mode - this saves having to walk the page tables to find the kernel code.

However, we're now putting kernel code into a separate memory space altogether, so that the processor can't speculate loads of its address space. That causes an address space switch on every user->kernel and kernel->user transition, which itself causes a TLB flush on older hardware or with PCID disabled. So, if the processor doesn't support PCID or it's turned off, the newly-loaded kernel code causes page table walks, then on return to user mode, it has to walk the page tables again.

TL;DR check that your processor supports PCID and the INVPCID instruction, and that it's enabled.

One more credit insurer abandons Maplin Electronics

Mike Dimmick

Re: Probably for nought but...

Maplin went downhill after being bought by Saltire group, who owned Altai, one of Maplin's suppliers, back in 1994. My Saturday job changed from trying to help the hobbyists with their list of components to trying to push prebuilt electronics, e.g. the in-car entertainment speakers and amplifiers, on which the company made more margin. Sales not being my forté, I ended up more frequently booking in and counting stock, and only helping out on the tills when the queues reached four or five deep.

Admittedly, the most complicated circuit many customers wanted was a flashing LED and the correct resistor to limit the current from a 12V battery - otherwise known as a fake car alarm.

Linux kernel community tries to castrate GPL copyright troll

Mike Dimmick

Re: I'm confused

Is it copyright or license terms violation?

It is a copyright violation. The law of copyright says that the right to make copies is reserved to the copyright holder. The law also holds that loading a program from disk into memory is making a copy. The copyright holder can make legal agreements - licences - with third parties to make copies. The licence agreement tells you how many copies you can make and under what conditions. If you violate the licence agreement you have no rights to make copies at all - can't copy the source code, can't copy the object code, can't run the program. The object code is held to be a mechanical derivative work of the source code, so all rights in it - even if you compile it, or rather you run the compiler - remain with the source code's copyright holder.

I am not a lawyer, but that's what I recall from my Software Law course at university. That was more than 15 years ago, but I don't believe copyright as applied to software has fundamentally changed in that time.

Support team discovers 'official' vendor paper doesn't rob you blind

Mike Dimmick

Re: The story is ...

My local supermarket prints "last day" reduced prices on yellow sticky labels. Quite often the checkout scanner cannot read them. They appear crisp and legible - and the assistant has no problem reading the printed number below the bar code when they then manually transcribe them.

One major UK supermarket had a problem in the past. They decided to encode the product price in the reduction barcode as well as the product code. Unfortunately they chose a symbology - a method of encoding the data - that their till system did not actually support. So the assistants at the tills had to peel off the new label stuck over the old label, scan the regular product code, hit the reduction button and type in the price.

The new till software was sufficiently delayed that the reduction labels were optimised - the centre horizontal strip of the label, carrying the reduction barcode, was deliberately made less sticky and gained perforations, so that the operator could more easily tear it off to get to the product code underneath!

They did eventually get tills able to read the reduction barcode directly, but it took several years, as I recall.

How can you kill that which will not die? Windows XP is back (sorta... OK, not really)

Mike Dimmick

NetMarketShare free OS-by-version data

Netmarketshare's OS-by-version data is available freely. In the top bar, under 'Market share reports', hover over 'Operating Systems' and click 'Desktop share by version' or 'Desktop trend by version'.

ViaSat lofts world's most powerful communications satellite into orbit

Mike Dimmick

Re: Mixture of Chemical and Xenon?

The xenon gas is the medium in the ion drive (ViaSat refer to it as electric propulsion). The long-term purpose is for station-keeping, keeping the satellite exactly above 69.9°E longitude on the equator.

The chemical thrusters will be used to circularise the satellite's orbit. The launch has only put it into a Geosynchronous Transfer Orbit, an elliptical orbit that is near the final altitude at the furthest point (apogee) but still barely above the Earth's atmosphere at the closest (perigee). It typically needs around 1500 metres per second delta-V to circularise - bring the perigee up to the target altitude - and change the inclination to equatorial. The orbit that the booster left it in is inclined by about the same amount as the latitude of the launch site, so for Ariane around 5°.

ViaSat state that they have enough chemical fuel (probably UMDH/N2O4) to circularise, but electric propulsion will be used to change inclination. Source: https://www.viasat.com/news/what-happens-after-viasat-2-launches-step-1-orbit-raising

NASA swerves serious cash cuts – but Earth climate probes, asteroid snatcher face axe

Mike Dimmick

JWST launch

JWST is going up on an Ariane 5 ECA - The Launch

One IP address, multiple SSL sites? Beating the great IPv4 squeeze

Mike Dimmick

Re: Thumbs up, but have to respectfully disagree with some things

Server Name Indication has been supported in browsers for many years. The last major web server to support it was Microsoft's IIS in Windows Server 2012.

CanIUse.com: Server Name Indication

Wikipedia: Server Name Indication/Support

Good luck securing 'things' when users assume 'stuff just works'

Mike Dimmick

Re: How about what BT/VM do?

@Steve Davies 3: "now it does not broadcast a name at all."

Hiding your network name from beacons does not appreciably add to security. The problem is that the Probe Request, Probe Response, Association Request, Association Response, Reassociation Request and Reassociation Response frames contain the SSID in the clear. All an attacker has to do is listen for one of those frames.

If he doesn't have the patience to wait for a new device to connect, he can send Probe Request frames to the Access Point. If the AP is configured to ignore Probe Requests that don't contain its SSID, all the attacker has to do is identify a device that is already connected, forge a Disassociate message from the AP to that device, and wait for the device to send a Reassociation Request.

Hiding the network name also has another downside - if your device is configured to connect automatically, it will send Probe Requests with your network name whenever it's not connected to something else, so leaking the name of your network if you're out of range.

Mystery Kindle update will block readers from books after Wednesday

Mike Dimmick

Probably SHA256 support

It's likely that the certificate Amazon use for TLS (HTTPS) support, for the connection to the store, is about to expire. SHA-1 is now not considered secure enough for signing the certificate; all new certificates issued after January 1 were supposed to be signed with SHA-256 instead.

It's quite probable that the older device operating systems didn't support the SHA-256 algorithm, and need to be updated to include it.

UK can finally 'legalise home taping' without bringing in daft new tax

Mike Dimmick

My understanding of the article is that Spain's blank media tax is not hypothecated (accounted for in a separate accounting). The tax goes into the general fund, the payments come out of the general fund. The collecting societies were presumably appealing because there's no actual law saying that money in has to equal money out - and the court said that was fine, there didn't need to be one. So Spain can set the tax as high or low as they want, and the payments as high or low as they want, as long as the payments are fair.

This is a hell of a lot easier to manage, because they don't need to worry about adjutsing the tax or payment levels to deal with surpluses or deficits in the hypothecated fund, if the aggregate tax collected and payments made don't match up.

11 MILLION VW cars used Dieselgate cheatware – what the clutch, Volkswagen?

Mike Dimmick

Re: European testing

In both Europe and the US, the manufacturer carries out the emissions testing. Both the EPA and the European government performing type approval do a random sample to verify that manufacturers aren't routinely submitting fake results, but they don't have the resources to routinely test all new vehicles. Sometimes this testing does pick up cheats, like Hyundai last year. But it can't pick up cases where the vehicle detects that a standard emissions test is being run and switches to a more economical or lower emission mode - the random sampling just repeats the standard test to check that a production car gets the same result, within a reasonable error margin.

The point of the standard tests is to allow comparison between vehicles, not to give an indication of how much fuel would be consumed on your journey. There are simply too many variables with temperature, road surface condition, wind speed and direction even before you account for driving style and traffic. The EU test could stand to be revised, though, as it has slow accelerations and nearly all of it is below 60mph. This gives unrealistically good numbers when compared to most drivers' behaviour.

Microsoft kicks off 'Windows as a service' with new Insider build

Mike Dimmick

Re: Compressing and decompressing pages

"I look forward to seeing their Out Of Memory Killer daem, sorry service, innovation next."

Unlike Linux, Windows never overcommits memory. Every page of memory that is committed has space allocated for it in the page file. If the page file hits its limit, Windows will try to grow it; if it can't grow the page file, it will start telling the user to close some programs.

Microsoft will explain only 'significant' Windows 10 updates

Mike Dimmick

Re: The seem to be going in an unsavory direction...

"The last four updates offered to me all had the same uninformative descriptions. Going to the KB articles revealed that two were concerned with potential problems and two were purely concerned with adding tracking and telemetry functions."

Windows 7 updates have *always*, in my experience, had completely unhelpful titles and descriptions shown in Windows Update. You always had to click on the KB article link to find out what it actually does. This is also true in WSUS. The differences with Windows 10 are:

- There is no link to the KB article from within the 'More Details' popup in Windows Update

- The KB article, once you type the 7-digit number in (can't copy from the popup either), has no details in it. It lists a huge list of files, because the updates are cumulative - there is no Limited Distribution Release servicing channel for Windows 10.

Windows Update has the ability to only download the changed files, indeed only the changed parts of the changed files, so it doesn't have to download gigabytes every time. You could probably work out what's changed by checking the version number of the files (it seems they don't rebuild every component every time despite describing it as a cumulative update).

I suppose there's a question of whether to list every change since the previous cumulative update, or whether to list every change since the original 10.0.10240.16384 build, but not showing anything is particularly unhelpful.

The same is true of the built-in apps, the other side of the story. In Windows 8.1, the Store app gained the ability to show a change log. Third-party developers often use it properly, but most Microsoft apps, especially those bundled with the system, tend to just say 'performance and stability improvements'.

Citrix warns that Windows 10's Edge browser borks Receiver

Mike Dimmick

Re: Can't they do it the iOS way?

"I very much doubt that Edge, as basic as it is, doesn't support this."

It does. It produces a prompt ("Did you mean to switch apps?") that Edge is trying to launch the Receiver client, but there is no option to suppress this prompt in future, so Citrix have decided not to go that way. I believe it's a system-level prompt from Windows Runtime rather than Edge itself - the result of setting TreatAsUntrusted to true in the LauncherOptions object passed to Windows.System.Launcher.LaunchUriAsync.

I suspect the decision is default security paranoia - don't trust any Uri that isn't one handled by Edge itself.

Frankly I think the inconvenience factor of getting this prompt every time is far, far lower than the workarounds they list to avoid it.

Think beyond the Beeb: Gov consultation is crucial for free telly

Mike Dimmick

Re: The rest of the licence fee

When the ad market crashed after the Credit Crunch, Channel 4 were all for top-slicing the licence fee and grabbing a bit. When they saw what the government did to freezing it in 2010 - and the ad market recovered - they were suddenly rather less keen and stopped talking about it. So it never actually happened.

Windows 10 Edge: Standards kinda suck yet better than Chrome?

Mike Dimmick

-webkit- prefixes in Edge

Microsoft have discovered that a very large part of the web - particularly the mobile web - doesn't work properly without -webkit prefixes. So they've implemented a ton of them in Edge: http://www.justrog.com/2015/05/the-web-no-longer-works-without-webkit.html .

Yes! Windows Phone lives: Microsoft to pump the device Kool-Aid

Mike Dimmick

Not abandoned

The Windows Phone development team got merged into the Windows development team two years ago - in fact it was a reverse takeover, with Terry Myerson and Joe Belfiore taking the reins of the Windows group. Now both products are built from the same source tree. Windows Phone 8 and 8.1 were both forks of the PC codebase, which allowed WP to go its own merry way for that version, but made it incredibly hard to then merge back together to pick up the changes in Windows. Now, new features have to be designed to work on both small and large form factors, and handle touch, keyboard, mouse and controller inputs (Xbox One is now also built from the same tree).

There will still be platform-specific APIs, but it will be possible to test for and use them at runtime - search for API Contracts.

What was announced last week was that the first-party *hardware* team would be cut back, and only release a few new devices per year - reportedly a small and a large screen device in low-, mid- and high-end specs. (Microsoft only mentioned the three targeted tiers, they didn't actually mention two devices per tier.) They certainly did not say that they were pulling out of hardware entirely, just focusing on a few devices rather than the dozens (with dozens of minor variants that share the same model number!) that Nokia were producing.

Trebles all round: The BBC's won this licence fee showdown

Mike Dimmick

Re: "Arguably"

BBC tv also broadcast for fewer than 12 hours a day on weekdays and Sundays, in 1961. It only started up before midday on Saturdays.

You can find schedules at the BBC's Genome site, which has scans of the entire Radio Times archive.

Microsoft's secret weapon in browser wars: Mozilla's supercharged Asm.js

Mike Dimmick

IE hasn't used the COM JavaScript engine since IE9. IE9 moved to implementing the DOM type system in JS. Justin Rogers of the Edge team posted an interesting look at how this works at http://www.justrog.com/2015/05/javascript-type-system-evolution-from.html?m=1

Conditional comments are not supported in 'edge' and IE10 document modes in IE10 and 11. Only when emulating IE 9 or older. https://msdn.microsoft.com/library/hh801214(v=vs.85).aspx

Microsoft Edge removes the concept of document modes. http://blogs.windows.com/msedgedev/2015/05/06/a-break-from-the-past-part-2-saying-goodbye-to-activex-vbscript-attachevent/

Mike Dimmick

Gone

Edge won't support VBScript at all. http://blogs.windows.com/msedgedev/2015/05/06/a-break-from-the-past-part-2-saying-goodbye-to-activex-vbscript-attachevent/

Major London rail station reveals system passwords during TV documentary

Mike Dimmick

Actually...

Don't put authentication into systems that don't need it. It looks to me as if that's a username/password combo for routing the appropriate signalling information to that particular workstation. That is, the signalman for that area always goes to that workstation, rather than the signals following the user to whatever workstation he logs in at.

If that's the desired configuration it shouldn't require the user to enter it at all!

Windows 10 apps to rule them all – phones, slabs and PCs: Microsoft pulls out 'universal' tool

Mike Dimmick

JScript.NET has existed since .NET 1.0 was released in 2002. However, it hasn't been tracking ECMAScript releases, being approximately based on ES3.

I can't see anything saying that the recommended way to use JavaScript to write Windows Store apps - using WinJS - has changed at all. That will continue to use the Chakra engine and presumably the new EdgeHTML rendering engine from Spartan, once you change your manifest to Windows 10. I'd expect Windows 8 and 8.1 Store apps to continue using the older MSHTML in Edge mode.

UK.gov in pre-election 'Google tax' blitz against internet firms

Mike Dimmick

25% of nothing is still nothing

The problem with Google, Microsoft, Apple, Amazon etc is that they are falsely attributing costs and revenues in order to declare a reduced or zero profit in the UK. It doesn't matter if the rate is 20%, 25% or 100%, the Treasury won't get anything. This is a deliberate attempt by the government to claim to be doing something while in fact doing nothing. It is worse than doing nothing as it has the appearance of having solved the problem, taking public attention away from it.

Microsoft to store deleted Exchange Online mails FOREVER

Mike Dimmick

Filing system

This is probably to deal with people who use the Deleted Items folder as a filing system. I've worked with people who do this - they move messages to Deleted Items once they've been actioned but expect them to stay there indefinitely for archive purposes.

On-premises Exchange leaves them alone, so I'm not surprised to see Exchange Online doing the same thing.

For pity's sake, you fool! DON'T UPGRADE it will make it worse

Mike Dimmick

UK Extended Layout

Install the United Kingdom Extended keyboard layout. This supports pressing AltGr+a key with an accent-like character on it as a 'dead key' - press another letter to add that accent to that letter. In addition, just pressing AltGr+a vowel gives you the acute-accent version of that vowel (plus also w and y which are used in Welsh).

The back-tick key ` becomes a dead key without requiring shifts. If you need to actually type this as a programmer, just hit space afterward.

The only annoying part is that Windows tracks keyboard layout per program, so if you have more than one layout installed you have to check which one is selected for every new program you run.

Euro broadcast industry still in a fug over that 4K-ing UHD telly

Mike Dimmick

Never mind the quality, feel the width

UHD will require at least twice the bitrate of HD*, so you'll get at best half as many channels in the same spectrum. When surveyed, users want more content over better quality. It's how the Freeview channels get away with 544x576, a frame size designed for 4:3 content rather than 16:9 (if using the same horizontal resolution as 720 pixels at 16:9, 544 pixels produce a 4:3 frame).

* Assumption - that HD continues to use H.264/AVC while UHD uses H.265/HEVC. UHD has four times as many pixels as HD and the bitrate tends to scale linearly with number of pixels. It's hoped that HEVC will eventually achieve a 2:1 improvement in compression over AVC for approximately the same visual quality. It will probably take many years, though - right now, the result is little better than AVC.

Microsoft launches wobbly Windows 10 phone preview for Lumia daredevils only

Mike Dimmick

Less storage

Yes, there is a Lumia out there with less storage: the Lumia 530 only has 4GB. This was basically a chassis designed by Nokia to run either Android or Windows Phone. The savings don't appear to have been worth it - Microsoft are essentially replacing it with the Lumia 532, which has 1GB of RAM and 8GB of storage for basically the same price. (The launch price of the 532 is actually lower than that of the 530.)

If you have the Windows Phone 8 or 8.1 emulators installed on your computer, you can actually see the problem by mounting the .vhdx file. The storage is divided into a number of disk partitions, with the OS partition being essentially immutable. This means a phone reset is easy, you just wipe the user partition, rather than having a backup copy of the OS as Windows 8 does on desktop, laptop or tablet. It sounds like it's impossible to resize the OS partition in a device update, in order to make more space, or at least not in just a Windows update. The talk of 'partition stitching' suggests that they might intend to spread the OS into more than one partition for WP8.x phones - of course the Windows NT volume manager driver has been able to do this since at least Windows 2000.

I wouldn't be surprised to see this partitioning behaviour go away for phones built for Windows 10. It's just added complexity. It doesn't look like Windows Phone supports the Compressed OS feature from Windows 8.1 yet, so there could still actually be a reduction in size from WP 8.1 to 10.

Hear that sound? It's the Windows XP PC bubble popping

Mike Dimmick

Re: Huh?

@BongoJoe: Contacting them how? Their support policy is pretty clear.

Microsoft will consider hotfixes and Design Change Requests for products within the Mainstream Support phase of their lifecycle, if you raise a case with Product Support Services. That means paying, using a free support incident that came with your product purchase (if bought as a retail product), or through Software Assurance or a Premier Support Plan.

If you obtained the product with your computer (which is how most people get Windows), your first port of call is your OEM - the reduced price of the OEM Windows edition doesn't include support, it's outsourced to the OEM. If you bought an OEM version of Windows on the open market and installed it yourself, congratulations! You don't get any support.

If the product has moved on to the Extended Support phase, which Windows 7 did on 13 January, you need to have bought an Extended Support Hotfix Agreement within the first 90 days after it did so. You can then get hotfixes by contacting support. They won't consider any Design Change Requests, though.

If you contact the product group through blogs, email, connect.microsoft.com or User Voice, they might consider your issue for a fix in the next version of the product. They're unlikely to develop a patch for existing versions unless there is some wider issue that you're highlighting. Generally patches for released versions are developed by the Windows Customer eXperience Engineering team, not the people working on the next release.

If you think it's a security issue, email secure@microsoft.com. (security@microsoft.com is *building* security.)

I would expect to see this start to change if Microsoft are really going to treat Windows 10 as an 'evergreen' release in the way that Google Chrome and Mozilla Firefox are 'evergreen' browsers. The way it works now is based on the principles of stability - no changes unless strictly necessary - and that someone has to pay for the fix to be developed. If you're not paying (or haven't pre-paid) they're just not interested.

The support you're not getting for Windows XP is that you're not getting security updates. No-one is checking whether Windows XP is vulnerable to any of the issues that have been reported, and if it is, there is no commitment to developing fixes.

About that UK digital biz renaissance? Not so fast

Mike Dimmick

Re: Another source of misleading registrations

I think shelf companies should be reported with an SIC code of 99999, and therefore be distinguishable from real company registrations, but the point probably stands.

EDIT: I found a company offering shelf company registrations at http://www.formacompany.co.uk/en/united-kingdom/uk-shelf-company and looked up some of their tech-sounding companies on the Companies House WebCheck. Big Blue Data Ltd and Highway Software Ltd were registered with SIC code 74990 - Non-Trading Company.

Behold: The touchy-feely future of Office on Windows 10 fondleslabs

Mike Dimmick

Windows 8 does not have the new APIs

I don't expect this version of Office to come to Windows 8, because I expect that there will have been substantial extensions to Windows Runtime in order to support Office's functionality. This is one reason why Windows 10 will be a free upgrade.

If Windows Runtime 8.1 had APIs that could support all of Office's functionality, I would have expected Microsoft to have already released Office for Modern Windows, parallel with the iOS version.

Mike Dimmick

Re: Touchy feely does not equal productive

That's simply an issue of not putting the focus in the navigation field. It's a bug. Report it.

Enough is enough: It's time to flush Flash back to where it came from – Hell

Mike Dimmick

Internet Explorer users

IE users can selectively block Flash and other plug-ins loaded by pages using the ActiveX Filtering feature. This has been part of IE since IE9. Click the gear icon at the right-hand end of the tab bar, go to Safety, then check ActiveX Filtering.

Now, when a site tries to load any ActiveX object - including Flash and Java applets - it will silently ignore them. You'll get a blue circle icon with a diagonal line through it, just to the left of the reload icon. If you want to re-enable for that site, click the icon, then click "Turn off ActiveX Filtering". Despite the name, it only operates for that site.

The blue icon will also appear in the top-left of any placeholder areas where the control would have loaded.

On any page on that site which loads an ActiveX control in future, you'll see a grey icon instead of the blue one (same shape). Click the grey icon then click "Turn on ActiveX Filtering" to filter out again.

On Windows 8 and 8.1, Metro IE does not have any UI to control ActiveX Filtering - since it won't load any ActiveX control barring Flash - but it does obey the filtering rules. To turn it on and off, and control it for a site, open the page in desktop IE.

Mike Dimmick

Re: This type of mentality is irrational, bordering stupidity.

"Netflix uses Silverlight which is Flash's direct competitor by Microsoft. It faces the same problems and it also has been patched a lot recently."

Have to pull you up on this. Silverlight 5 for 32-bit Windows has been patched five times in its entire existence, from December 2011 (so a little over 3 years). Three were remote code execution issues, one could potentially allow information disclosure, and one was a defence-in-depth measure correcting a problem where other code could be attacked using Silverlight as a vector (it meant the location of attack code was predictable). The most recent patch was last March.

Is Windows RT not invited to the Windows 10 upgrade party?

Mike Dimmick

Horrible communication from MS

I think this is bad communication from MS, compounded by poor/lack of branding. They have both 'Windows 10' as an umbrella term meaning the whole family of related products, and 'Windows 10' as a specific set of components, which is the product for x86 desktops, laptops, and tablets over 8" in diagonal. I think they mean that Windows RT devices will not be updated to 'Windows 10' the product - just as Windows RT 8.1 doesn't have all the components of 'Windows 8.1' the product - while there will still be a product from the Windows 10 family. They haven't decided exactly what will be in it yet, and they don't want to brand it 'Windows RT 10' because they don't want to continue the confusion.

The big question is whether to continue to include the desktop, and all the Win32 and COM components which it depends on.

It hinges on Office. Windows RT devices all included Office Home & Student 2013, the same code recompiled for ARM, with only features removed that couldn't be easily rewritten for ARM within the time available. The proposed Office for Windows Runtime is expected to have a fuller feature set than Office for iOS or Android, but it could well end up being smaller than what Office RT provided.

If so, the dilemma for the Windows team is whether to replace Windows RT with SKU #2, and lose features from Office, or to replace it with SKU #1, and continue to ship the desktop version of Office, appropriately cut down (although presumably still missing the same features as it was before, depending on whether they invested any effort in rewriting those components.) It may be that Office's feature set is still not finalized sufficiently to make this decision - it could be a very late breaking announcement as to which way they're going to go.

Saying that there will be no upgrade path, or that it won't be Windows 10 (what on earth else would it be if not some subset of all components in the Windows 10 build tree?), is massively premature.

Microsoft snubs Codeplex, moves big projects to GitHub

Mike Dimmick

Re: Perforce

My understanding is that Windows still uses Source Depot, which is a fork of Perforce. That replaced a home-grown tool in late 2000, during XP development.

Mind you, historically, the Windows team have always thought that anything that came out of DevDiv was crap. There's a reason they started over with Windows Runtime rather than continue with WPF or Silverlight, and why very little was ever done with MFC or Windows Forms.

Snowden leaks lack context says security studies professor

Mike Dimmick

Re: worse @ streaky

Certificate authorities simply sign the server certificate to indicate that they issued it. It can imply that they did some background checks to ensure that the person requesting the certificate did in fact represent the organisation that the certificate claims to be generated by, although you pay for what you get: a CA that countersigns certificates for free is unlikely to have made substantial checks.

The CA never sees the private key corresponding to the public key contained in the certificate, so cannot decrypt or help decrypt communications.

The security services can subvert a certificate authority, to get them to sign a fake certificate that claims to be for the site that you're trying to use. That can then be used in a man-in-the-middle attack. It doesn't require that the CAs explicitly have an agreement to allow the NSA or GCHQ to do this, fraudulent certificates have been issued in the past simply through social engineering. If the security services can get their own CA into the browsers' list of trusted root authorities, they don't even have to do that.

Google have proposed (and implemented in Chrome) a technology called 'public key pinning' which requires that, for a period of time, the certificate presented by a server must have been signed by a specific public key. That requires the attacker to actually compromise the CA that countersigned the genuine certificate, rather than compromising any CA or setting up a fake root CA.

Blam! Max Sound flings vid codec sueball number four at Google

Mike Dimmick

Re: Google's free Codec

Doesn't help if the patent holder is not part of MPEG LA's patent pool, which Max Sound and VSL are not. Presumably they are suing Google / YouTube because they have the deepest pockets, but if successful you can expect every one of MPEG LA's licensees to get sued as well.

MPEG LA is a *voluntary* grouping of patent holders who have chosen to offer licences for their patents as a group. There is no compulsion for any patent holder to join and there can still be submarine patents held by anyone else. If the holder participated in the standardisation process, they're supposed to offer the patents on a FRAND basis, but if the standard accidentally includes something that was patented by a third party, all implementers could be liable for heavy royalties and discriminatory behaviour.

It is simply not practical to have a fully-vetted standard. There are too many patents issued every year even for experts to keep up, and they're not readable by engineers so there's really no telling what might turn out to be considered an infringement.

Still, I think it's better to go with standards that are developed in the open with the opportunity for patents to be disclosed and either worked around, or held under FRAND promises (though this may not be worth much when companies demand huge percentages of sale price from every vendor - it's not discriminatory if you're screwing everyone). VPx and other privately-developed encodings will always suffer more from submarine patents than the ISO/IEC/ITU families.

BBC clamps down on illicit iPlayer watchers

Mike Dimmick

Re: illicit viewers?

@Michael Jennings:

The BBC recently retired what they called 'Big-Screen iPlayer' - source http://www.a516digital.com/2014/08/bbc-to-retire-bigscreen-iplayer-as-new.html

The BBC list the supported Philips models at http://iplayerhelp.external.bbc.co.uk/help/information/philips

Apple's Watch is basically electric perfume

Mike Dimmick

Re: industry subpar knock-offs

You need a 64-bit CPU to access more than 3 gigabytes of RAM, though (same as with a PC), and modern smartphones are right up around that mark.

You need a 64-bit CPU to provide more than 2 gigabytes of virtual memory to applications (anywhere between 2 and 4GB, depends on the operating system and its configuration, but 2GB is typical because it's trivial to separate user and system space).

ARM's ARMv7A architecture supports Large Physical Address Extensions, which permit a 32-bit processor to manage a 40-bit address space - up to 1TB of RAM. ARM first implemented this in the Cortex-A15 core. It's up to the OS to map the app's virtual memory to whatever regions of physical memory are required.

All current phone/tablet operating systems restrict the amount of memory that an app is permitted to use. iOS does not have published limits but reportedly the iPhone 5 will close your app if you allocate more than 645MB of its 1GB RAM. Android has an OEM-configurable maximum heap size - you can request a 'large heap' which gives a higher limit to your app, but this is still dependent on the OEM and is well short of the total memory available. Windows Phone 8.1 allows apps designed for 8.1 up to 185 MB for phones with less than 1GB of RAM, 390 MB for 1GB devices and 825 MB for 2GB devices. I believe these limits are relatively low so that several apps can remain in memory at once.

Pedals and wheel in that Google robo-car or it's off the road – Cali DMV

Mike Dimmick

Re: which should be the default more-reliable case in the event of conflicting input?

@Charles Manning: Air France 447 is a case in which all three of your points occurred. And that occurred with experienced pilots who had been taking shifts in order to ensure they were fresh and alert. They still failed to recognise the situation they were in, applied inappropriate control inputs and crashed the plane.

Frankly, I think auto-pilot cars are dangerous as the meatsacks will be tempted not to pay any attention. I also haven't seen any sign that the control software will be designed to proper safety standards, not provision for independent, redundant control systems as used in aircraft. Cars may be slower and closer to the ground, but there are many more of them packed much closer together.

'Things' on the Internet-of-things have 25 vulnerabilities apiece

Mike Dimmick

Re: Remind me again why we "need" this BS?

There are two problems with the washing machine scenario:

1. You have to have already loaded your washing into the machine.

2. It's not a good idea to leave damp washing in the machine for a long time. It can start to smell fusty.

I use the timer function on my washing machine to ensure that it's done roughly when I expect to get home from work, or alternatively shortly after I get up in the morning, depending on whether I remember to load the machine before going to bed.

I can just barely see the use for bringing the finishing time forward if I decide to leave work early, or pushing it back if I'm going to be late, but you'd have to know before it's actually started washing that you wanted to delay it. (Typically not a good idea to stop the machine in the middle of the programme.)

The benefit to me is tiny, so I wouldn't spend any more on an IoT washing machine over an equivalent non-IoT version, and I certainly wouldn't be looking to upgrade (and get on the upgrade treadmill, to keep up to date with all the patches necessary to ensure that miscreants can't use it to send spam/crack keys/mine Bitcoin - assuming the manufacturers produce them) just for this feature. Given that router manufacturers - producing a vital piece of comms equipment exposed to the public internet - don't keep up on producing patches, I have no hope that general consumer electronics makers will.

I wouldn't have had the timer, except that since the machine is in the kitchen of my one-bed house with only a worktop between that and the lounge, it really makes too much noise to run it in the evening. Now, a machine that could spin near-silently at 1200rpm, that would be worth having!

Stick a 4K in them: Super high-res TVs are DONE

Mike Dimmick

Re: It doesn't matter how good the display is if there's nothing to display

The BBC some time ago (at least) transmitted BBC 1 HD with an output that swapped between interlaced and progressive at the GOP boundaries depending on which they were getting a better compression from.

This has now been rolled out to all services on the PSB3 Freeview HD multiplex (BBC One/Two/Three HD, ITV HD, 4hd) and I believe it is also used on COM7 (CBeebies/BBC Four, Channel 4+1, 4seven, Al Jazeera HD).

I don't think it is used on satellite - changing the interlacing mode on a GOP basis was not part of the Freesat or Sky specifications. Doing this caused a problem on early Freeview HD units, and in some cases TVs using external Freeview HD boxes (it depended whether the box passes through the 1080p25 GOPs or converts to 1080i50). There tended to be brief switches to black and audio glitches on mode switches - annoying but bearable on programme transitions, not acceptable when it could switch more than once per second (a GOP is usually shorter than 25 frames)

Internet of Things fridges? Pfft. So how does my milk carton know when it's empty?

Mike Dimmick

UPCs are incredibly cheap

Membership of your national GS1 subsidiary costs a couple of hundred to a couples of thousand dollars depending on your company turnover. GS1 UK charge £107 joining fee and £117 annual membership if your turnover is under £500k, which entitled you to codes for 1,000 distinct products. There is no per-product fee. You just have to include the barcode in the label you were going to print anyway. It literally costs nothing beyond ensuring that the printed label is in spec.

For turnover of £1bn or higher, the joining fee is £327 and annual fee is £2,602, which gets you a prefix valid for 100,000 product codes.

A Global Trade Item Number (UPC is a subset) describes one product. Not a family. In the milk example, skimmed milk will have a different code from semi-skimmed. A 2pt container will have a different code from 1pt. Organic a different code from regular, from value. Order the same code and you'll get the same back.

RFID tags contain the GTIN as one of the data components, so you don't make any saving compared to a paper barcode - you still have to be a member of GS1 if you want to sell your products at any retailer. If you just want to sell your products in-house, there's a range of GTIN codes reserved for private use.

If you want fewer than 1,000 codes, you can go to a reseller who will register your product under one of their prefixes. They can be a lot more expensive per code. You still only pay once to register the product, every use of that code is free.

TIME TRAVELLERS needed to secure Windows 7

Mike Dimmick

11 SP1 by another name

The problem here is that Microsoft refused to call their April update - corresponding with Windows 8.1 Update 1 - by a new name. So they have to go around calling it 'with the 2929437 update installed'.

If they had actually called it by its true name - Service Pack 1 - it would be clear that they are breaking their own Service Pack and Security Update policies (and the same goes for 8.1 Service Pack 1). The Service Pack Policy says that they will support service packs for Windows (and Windows components such as IE) for 24 months after the release of the following service pack. The Security Update Policy says:

"Microsoft will provide security update support for a minimum of 10 years (through the Extended Support phase) for Business, Developer and Desktop Operating System products. The security updates will apply only to the supported service pack level for these products.

"Both the Mainstream Support and the Extended Support phases require that the product’s supported service pack level be installed to continue to receive and install security updates.

"Security updates will be available from Windows Update during the Mainstream Support phase, and the Extended Support phase (if available)."

Since there is officially no service pack for Windows 8.1 or for IE 11, security updates should be on Windows Update for the original release, regardless of whether another update has already been installed. Alternatively, if we count Update 1/2929437 as being Service Pack 1, they have still withdrawn support for the original release nearly two years before they should have.

Privacy International probes GCHQ's mouse fetish

Mike Dimmick

Memory inside microcontrollers?

Current generation microcontrollers have far more memory than needed to contain the very simple program for a keyboard. You could program the keyboard controller with a document, then use some special switch or key sequence to have it type out that document on demand.

We know that "security" services sometimes engage in physical hacks, breaking in at night and replacing the keyboard with one programmed to record your keystrokes. Later they can break in again and collect the recorded data from the logging keyboard. It's not a stretch to think that journalists could use a similar approach to hide copies of documents - or at least that the goons would think that.

I doubt there's a microcontroller in the power supply unit, though!

Page: