• Still dithering over what hardware to buy to build out my software lab - so far I have two laptops and two monitors, which is a good starting point.  I'll have the money just before Christmas but I have six different possible configurations and I can't afford them all.
  
  So I got a virtualised dedicated server with an Aussie hosting company I've used for a while.  I just have a couple of cheap cloud servers with them - about $20 a month combined - but they've been rock solid.  And they bill hourly in arrears so if it turned out not to be what I wanted the cost would be negligible.
  
  Turns out it's great.  I had it up and running with Ubuntu 20.04 in 30 seconds.  I wanted to configure it with 75% of the disk space in ZFS to run LXD, and they have a control panel that lets you do exactly that, without needing a reinstall or manual configuration.  Resize, reboot, configure ZFS, done.
  
  Disk is 800GB of mirrored NVMe storage and gets about 1.6GB per second on writes in an actual test, which is just fine.
  
  It's more expensive than US-based options but it's an 8ms ping from my house compared to a 180ms ping even to Los Angeles.  It's great.
  
  If I keep it for more than six months and I don't end up using it for any public or shared stuff I might as well have bought a NUC or something like that, but the ease of getting it up and running is hard to beat.
  
  So now I'm getting started on the software side of the software lab and maybe I'll wait for the sales after Christmas before ordering any more hardware.

• A well-known tech blogger got caught in that Princeton research project that involved thinly-veiled legal threats from fake email accounts to random websites. (Christine.website)
  
  I'd be happy to see this asshole getting sued.
  
  
  The problem is, you'd have to be able to prove actual damages.
  
  
  Oh.  Well then.  Gentlemen (and Christine), call your lawyers.
  
  
  
• This isn't tech news but it has to be seen to be believed.  The German army, facing fierce criticism for organising a march of soldiers wearing 20th century uniforms and carrying burning torches, played the Don't Mention the War card.
  
  
  You started it!
  No we didn't!
  Yes you did!  You invaded Poland!
  
  
  
• Kolmogorov Complicity.  (Slate Star Codex)
  
  Kolmogorov - a Soviet mathematician perhaps best known for his mathematically precise definition of complexity - walked a fine line with Stalin's thugs, mouthing Party platitudes while continuing his research and trying to protect others.  He survived the purges by keeping his mouth shut most of the time, though he did publish a paper that indirectly denounced Lysenko.
  
  This 2017 article links to pieces by Scott Aronson and Paul Graham from 2017 and 2004 respectively.  Given who was occupying the White House in those particular years I expected the comments to be a dumpster fire, but for the most part, no.  Though some of them have proven in retrospect to be hopelessly naive.
  
  
  
• Log4j 2.17 is out fixing the bug in 2.16 that fixed the bug in 2.15 that set the world on fire last week.  (Bleeping Computer)
  
  Fucking yay.
  
  This one is relatively minor; all it does is kick of an infinite recursion that kills your server.
  
  
  
• Putting a lampshade on the new MacBook's idiotic screen notch.  (IconFactory)
  
  The Dell Inspiron 16 Plus delivers 92% of the CPU performance of the M1 Max MacBook Pro (and 150% of the GPU performance) for half the price, weighs the same, and does not have an idiotic screen notch.
  
  
  
• Wikipedia has booted a team Chinese editors working to push genocide apologetics.  (Wikimedia)
  
  They took it a little too far when they physically assaulted other Wikipedia editors.  Just posting communist propaganda apparently didn't raise any red flags.
  
  So to speak.
  
  
  
• Scripps Memorial Hospital automatically marks everything up by 675%.  (MSN)
  
  Something needs to be done about that bullshit.  I can go to my eyecare specialist here locally, get a basic test for "free" (we have a specific extra income tax allocated to healthcare, so while it's not free at all, it is at least visible), and pay out of pocket for a retinal exam that isn't covered by the government plan.
  
  Last time I was there they recommended it since I'm past a certain age, but stressed that it was an additional expense.  Of 60 bucks.
  
  Lady, you charged me $600 for a new pair of glasses with the high refractive index glass I need for my prescription.  I'm not going to quibble about 60 bucks for a test every couple of years that could save my eyesight.
  
  ...
  
  I did however get my next pair of glasses from an online store.
  
  
  
• Intel is planning to shower top engineers with $1 billion in cash and $1.4 billion in shares next year.  (Tom's Hardware)
  
  They already pay pretty well, but it's a fiercely competitive market.
  
  

Posted by: PatBuckman at Monday, December 20 2021 12:42 AM (r9O5h)

Posted by: cxt217 at Monday, December 20 2021 10:49 AM (MuaLM)

Hide Comments | Add Comment

• First day of my holiday so naturally I got woken up by an emergency at 4AM because someone misconfigured a new website and overloaded the back-end servers with a flood of queries.
  
  And my main Windows desktop had just updated itself and my terminal emulator had decided that it could no longer run without being updated to the latest release, so that was fun.
  
  
  
• The BMJ - British Medical Journal - published an expose of dubious experimental controls at a company contracted by Pfizer to assist in testing their Bat Flu vaccine.
  
  Facebook, as is its wont, "fact checked" this.
  
  The BMJ - which has been published since 1840 and is one of the world's leading medical journals gave them both barrels, reloaded, and is standing at the ready with one eyebrow raised.  (BMJ)
  
  
  
• Meanwhile researchers at Princeton are running an experiment in which they, uh, threaten legal action against randomly selected subjects.  (Free Radical)
  
  These fake threats of legal action potentially open Princeton to real lawsuits.  The research was passed by the university's review board which said, and I quote, yeah, whatever.  (Princeton)
  
   Good work, idiots.
  
  
  

Tech News

• Nvidia has announced the RTX 2050 which is not an RTX 2050.  (AnandTech)
  
  It's an RTX 3050 with half the memory bandwidth.
  
  The company also announced the MX550, which is an MX450, and the MX570, which is an RTX 2050, which is as we noted an RTX 3050.
  
  Hope that clears that up.
  
  
  
• TSMC has announced their N4X process node - nominal 4nm - optimised for higher clock speeds.  (AnandTech)
  
  At least 15% faster than 5nm, which is up to 15% faster than 7nm.
  
  But it won't be available for two years, while N3 - their basic 3nm process - which is up to 15% faster than 5nm, will be shipping in volume next year.  Leaving N4X as rather a niche proposition.
  
  
  
• Two 8-core Chinese Ryzens are faster than one 6-core American Ryzen.  (Tom's Hardware)
  
  Back before the launch of the Zen CPUs, bleeding cash and with their share price at the bottom of the ocean, AMD signed a joint venture deal with Chinese company Rygon, sharing Zen 1 technology but no further updates.
  
  That's what these chips are.
  
  
  
• Speaking of weird Chinese stuff, this 25" black-and-white monitor costs about $2500.  (Tom's Hardware)
  
  And it can only display 16 shades of grey.
  
  Because it's an E Ink display, like a Kindle but much bigger.
  
  Resolution is 3200x1800 which isn't too bad.
  
  
  
• I see it as a win either way.
  
  
  
  And it's working.
  
  
  
  
  
• The US government says it should probably patch that bug thingy soon.  (Bleeping Computer)
  
  They'll get right on it.
  
  
  
• On the other hand, that's kind of your job.
  
  
  
  
  
• It's only a tornado - or two - says Amazon  (The Verge)
  
  Walk it off you big baby.
  
  
  
• It's only your own personal data.  Why should you be permitted access, asks Google.  (TechRadar)
  
  Content that Google in its infinite wisdom deems "misleading" may be locked without notice.
  
  Content on Google Drive.
  
  Not on their social network, because they don't have one.  On their file storage.
  
  There is no cloud, there's just other people's computers.  And they're probably communists.
  
  
  
• Adobe's share price plunged 10% after announcing sales growth of 20%.  (CNBC)
  
  This is due to investor concerns over inflation and interest rates, which I am reliably informed are a transitory issue and everything is going great and we are definitely not "fucked beyond any possibility of redemption".
  
  
  
• US schools are cancelling classes over TikTok.  (The  Verge)
  
  At some point you might begin to suspect that teachers aren't actually interested in, you know, teaching.
  
  
  
• Verizon, caught spying on its customers, forcibly opted those customers into the spying program and sent them an email thanking them for their participation.  (The Verge)
  
  Thank you for your generous contribution of $1000 to the Hobos United Benevolent Fund.  This payment will be taken automatically from your account.  You can opt out of this at any time by clicking on this link.
  
  
  
• Amazon partnered with China to boost the country's booming historical revisionism and genocide apologetics industry.  (Reuters)
  
  Nice one, Jeff.
  
  
  
• US regulators are taking a look at the booming "buy now, pay later, definitely no interest or fees ha ha" industry.  (CNN)
  
  In fairness this industry is only marginally less ethical than the one mentioned above.
  
  
  
• US regulators also flagged stablecoins as a systemic risk to the economy.  (Reuters)
  
  This came in at #4, after inflation, interest rates, and US regulators.
  
  
  
• Scientists have discovered a millipede.  (The Guardian)
  
  Specifically the Australian creepy-crawly has 1306 legs, the first species discovered that truly has over 1000.
  
  
  
• A thousand-dollar iPhone lost to a $400 Google Pixel in blind camera tests.  (9 to 5 Mac)
  
  Aren't blind camera tests basically random?
  
  
  
• Dutch authorities have banned anti-5G "negative ion" pendants for being insufficiently fake.  (The Register)
  
  They really do generate negative ions.
  
  Because they are radioactive.

Posted by: Grumpy and Recalcitrant at Saturday, December 18 2021 06:36 PM (nRMeC)

Posted by: Pixy Misa at Sunday, December 19 2021 12:45 PM (PiXy!)

Posted by: Rick C at Sunday, December 19 2021 01:36 PM (Z0GF0)

Posted by: cxt217 at Sunday, December 19 2021 02:17 PM (MuaLM)

Posted by: Pixy Misa at Sunday, December 19 2021 05:53 PM (PiXy!)

Posted by: normal at Sunday, December 19 2021 11:06 PM (obo9H)

Posted by: Frank at Monday, December 20 2021 09:46 AM (rglbH)

Posted by: Rick C at Monday, December 20 2021 10:55 AM (Z0GF0)

Posted by: PatBuckman at Monday, December 20 2021 11:41 AM (r9O5h)

Posted by: StargazerA5 at Thursday, December 23 2021 01:29 AM (iXREa)

Posted by: normal at Thursday, December 23 2021 04:16 AM (LADmw)

Posted by: Rick C at Thursday, December 23 2021 07:51 AM (oPg+d)

Hide Comments | Add Comment

• So I technically survived the last working day of the year and I'm technically on leave for three weeks.  In reality I'll be logging in on Monday to do a few things - but I won't be answering phone calls or attending meetings.  Those alone make it a holiday.
  
  
  
• Lumi arrived, or possibly Pomu.  Anyway, the second of my Dell Inspiron 16 Plus laptops.  I might get a third one of these - I'm using them as compact, portable servers with a built-in UPS, which is why I need more than one of them.
  
  The specific model I've been buying isn't 40% off right now so any potential purchases will wait until that sale comes around again.
  
  
  
• Ethereum costs $250 per second and is 5000 times slower than a Raspberry Pi costing $45.  (Usenix)
  
  It has a data transfer rate about as fast as a 19.2k modem and storage costs that would turn a 1960 IBM account manager green with envy.
  
  And it doesn't even work consistently.
  
  
  
  

Tech News

• Merry Christmas!  You've been hacked!  Here's a bill for $45,000!  (Tom's Hardware)
  
  Just what I wanted!  How did you guess?
  
  
  
• I'm not sure who the imagined market is for a $2600 audiophile network switch.  (Tom's Hardware)
  
  Audiophiles want tube amplifiers and laser turntable pickups.  They don't stream from Spotify.
  
  
  
• A reader also forwarded this audiophile SSD.  (AudiophileStyle)
  
  This one does have one valid function: 100% of the TLC flash is locked in pseudo-SLC mode, making for more consistent write speeds.  Though any SSD these days is a thousand times faster than is needed for audio recording and playback, even if you're using 192kHz and 32 bits.
  
  
  
• Next-level Zenloss:A new strain of ransomware specifically targets Minecraft servers.  (Bleeping Computer)
  
  Ha.  My Minecraft server runs in a container and the host takes a snapshot every twenty minutes.
  
  And keeps it.
  
  Forever.
  
  Thousands of the damn things.
  
  I really should clean that up.
  
  (I think zenloss is a Hololive term, and mostly relates to Minecraft, which is rather nasty about deleting all your items if you die and don't make it back to your place of death in five minutes.)
  
  
  
• Log4j attackers otherwise are switching to mining Monero.  (Bleeping Computer)
  
  That's the same thing that happened in that $45,000 AWS account breach above - the hackers used the account to mine Monero, earning themselves $800 at a cost of $45,000.  So yes, it's 50 times less painful to just have your wallet stolen.
  
  
  
• Fossil fuels kill a million people a year.  (Ars Technica)
  
  Sort of.  Shorten lifespans to that effect, anyway.
  
  Mostly coal.
  
  Mostly China.
  
  If you've seen a major Chinese city on a bad air day this is entirely believable.
  
  
  
• So burn wood instead.  (New Yorker)
  
  It's technically renewable so the EU will shower you with subsidies even though it makes no fucking sense.
  
  If the system is stupid you might as well take advantage of it.
  
  
  
• At EA it can take a day to change a three lines of code.  (Neowin)
  
  Or rather - the article is kind of dumb - it takes five minutes to make the change and the rest of the day to test the effects throughout the game.
  
  
  
• Crypto investors were cheated out of $8 billion in 2021.  (The Register)
  
  Still less than civil asset forfeiture.
  
  
  
• Is China going backwards to Mao or sideways to Pol Pot?  (The Register)
  
  The Chinese government has issued a new list of things you're not allowed to say in video streams, including:
  
  1. Suggesting socialism is anything but perfect.
  2. Suggesting Marxism is anything but perfect.
  3. Suggesting the CCP is anything but perfect.
  4. Suggesting that maybe things are going in the wrong direction.
  5. Suggesting that the CCP has at any time in history been anything but perfect.
  6. Suggesting that shoving people into an unmarked van at 3AM never to be seen again might not be the most perfectly ethical way to behave.
  7. Making jokes about the CCP.
  8. Pointing out that Taiwan is a country that exists.
  9. Mentioning the independence movements in Hong Kong, Tibet, Xinjiang, or basically anywhere else on the planet the CCP considers their property.
  10. Reporting on any foreign news that reports on any of that or mentions Taiwan as a country that exists.
  11. History.
  12. Making jokes about China.
  13. Making jokes about the Chinese flag.
  14. Making jokes about the Chinese national anthem.
  15. Factual reporting about what Chinese leaders actually said.
  16. Cosplaying as any Chinese leader.
  17. Wearing funny hats.
  18. Pointing out that that Mao guy kinda sucked.
  ...
  100. Anything else the CCP doesn't like.
  
  Yes, the list has exactly 100 rules, and yes, that's the last one.
  
  
  
  

Party Like It's 1979 Video of the Day

Posted by: normal at Friday, December 17 2021 10:46 PM (obo9H)

Posted by: Rick C at Saturday, December 18 2021 12:23 AM (Z0GF0)

Posted by: Rick C at Saturday, December 18 2021 12:25 AM (Z0GF0)

Posted by: Mark Gosdin at Saturday, December 18 2021 12:30 AM (FKpVG)

Posted by: PatBuckman at Saturday, December 18 2021 02:19 AM (r9O5h)

Posted by: Rick C at Saturday, December 18 2021 03:31 AM (Z0GF0)

Posted by: benzeen at Saturday, December 18 2021 04:31 AM (/p5qM)

Posted by: PatBuckman at Saturday, December 18 2021 04:43 AM (r9O5h)

Posted by: Mauser at Saturday, December 18 2021 04:30 PM (Ix1l6)

Hide Comments | Add Comment

• The great thing about working in the crypto field is that no matter how badly you screw up there are thousands of people working tirelessly to put your mistake into perspective.  (Mashable)
  
  Coinbase had a "display issue" that made thousands of customers into instant billionaires - on screen, anyway.
  
  

• Why would people believe this?  Well, many didn't.
  
  
  But on the other hand, this sort of nonsense actually happens for real.  (The Information)
  
  Early backers of the Solana blockchain are cashing out after making a 430,000% return on their investment.
  
  If that sounds unsustainable that's because it is.
  
  
  
• A Japanese startup has shown off a working 7-bit NAND flash cell.  (AnandTech)
  
  Working as in actually working and not losing your data after three seconds, which is what you'd expect from 7LC.  They use a new cell design to achieve this workingness.
  
  Downside is that the cells are bigger than regular TLC or QLC, so the gain in device density is basically nil.
  
  
  
• Hynix is sampling 24Gbit DDR5 RAM.  (AnandTech)
  
  The DRAM industry isn't ready yet to ship 32Gbit chips, so the DDR5 spec was designed to permit an intermediate size of 24Gbit instead of the usual doubling.  This means that any DDR5 CPU that properly follows the spec will be able to support 192GB of RAM instead of 128GB as soon as these ship - or 96GB on a typical laptop.
  
  
  
• If you want a 10Gb Ethernet interface but don't have a free PCIe slot you can plug it into an M.2 slot instead which is great but kind of pointless because now your Ethernet port is on the inside of your computer.  (Tom's Hardware)
  
  
  
• The 12GB RTX 3080 that Nvidia may or may not be announcing will be 3% faster than the 10GB model.  (WCCFTech)
  
  Okay.
  
  
  
• Unix command line like it's 1979 article of the day.  (Dan Luu)
  
  In 1979 the tar command (used for backups - it's short for tape archive) had 12 command line options.  As of 2017 it had 139.
  
  ps (used to show programs running on a Unix system) had 4 options in 1979.  It now has 85.
  
  Maybe do a little less of this?
  
  
  
• Microsoft's Azure Active Directory service apparently had a bad day.
  
  The internet did not implode.
  
  Good luck finding an outage on this status page.  (Azure)
  
  Though maybe they push things to the top if there's an outage.  Right now every single Azure service around the world appears to be working properly.
  
  
  
• IBM has announced a new transistor design that could reduce power consumption by up to 85%.  (IBM)
  
  It's also smaller than regular finFET transistors manufactured at a given process node.
  
  Since power consumption is the limiting factor for large chips like CPUs and GPUs this would be a huge win.
  
  
  
• QNAP has a 16 port 25GbE desktop switch.  (Serve the Home)
  
  I'm looking at getting a QNAP 8 port 2.5GbE desktop switch, so this one is only 20 times faster than that.
  
  
  
• ZDNet has a - what's the term?  - advertorial for Degoo cloud storage.  (ZDNet)
  
  You may be wondering what the hell is Degoo, or you may think that it's the stuff that removes the sticky residue left behind when you peel a label off a new appliance.
  
  It's nothing so useful.  (Cloud Storage Info)
  
  Pros: Cheap
  Cons: Doesn't fucking work
  
  
  
• New York City is banning natural gas.  (CNBC)
  
  They'll be forcing new construction to use electric heating instead.
  
  Which in New York mostly comes from natural gas.

Posted by: Frank at Friday, December 17 2021 01:31 AM (rglbH)

Posted by: normal at Friday, December 17 2021 03:33 AM (LADmw)

Hide Comments | Add Comment

• The patched version of Log4j was still unsafe.  (LunaSec)
  
  Go patch your patches.
  
  
  
• Half of corporate networks have been targeted for this vulnerability.  (ZDNet)
  
  The other half don't have the necessary auditing to know they have been targeted.
  
  

• Two trees good, four trees better, say scientists.  (Phys.org)
  
  Plant plants, they suggest.
  
  
  
• The Dell Luna laptop is repairable and upgradeable and for some reason boxier than a 70s Volvo station wagon and an extremely unattractive shade of grey.  (The Verge)
  
  Acer also has a repairable, environmentally friendly laptop range, and they are also boxy and ugly.
  
  
  
• Nvidia's rumoured 16GB 3070 Ti and 12GB 3080 that were rumoured to be scheduled to be announced this week are now rumoured to not.  (WCCFTech)
  
  Unless they are.  Who knows?
  
  
  
  

Party Like It's Schadenfreude All the Way Down Video of the Day

Party Like It's 1979 Video of the Day

Posted by: Grumpy and Recalcitrant at Wednesday, December 15 2021 10:30 PM (nRMeC)

Posted by: Pixy Misa at Thursday, December 16 2021 12:02 AM (PiXy!)

Posted by: Pixy Misa at Thursday, December 16 2021 12:03 AM (PiXy!)

Posted by: Rick C at Thursday, December 16 2021 12:18 AM (Z0GF0)

Posted by: PatBuckman at Thursday, December 16 2021 01:49 AM (r9O5h)

Posted by: normal at Thursday, December 16 2021 02:23 AM (LADmw)

Posted by: Pixy Misa at Thursday, December 16 2021 03:16 AM (PiXy!)

Posted by: normal at Thursday, December 16 2021 07:47 AM (obo9H)

Posted by: David at Thursday, December 16 2021 11:12 AM (t/97R)

Posted by: normal at Friday, December 17 2021 03:41 AM (LADmw)

Hide Comments | Add Comment

• News continues to be quiet, which reminds me of what I did this time last year.
  
  And I'll do it again if you're not careful.
  
  Only one of the videos in the December 31 post is dead, and I know which it is, and I think there's an alternate source.
  
  
  
• Open source is not broken.  (Nadh.in)
  
  The argument is not wrong in itself but it doesn't really address the claim.  The author is trying to say that just because the cause of open source software's breakage is outside of open source that open source is not broken, but that's nonsense.
  
  It's important to identify the cause, but it's just as important to recognise the wreckage.
  
  (This is in response to an earlier article in response to the Log4j debacle.)

• AMD Navi 12 crypto mining cards are on sale in China.  (Tom's Hardware)
  
  
  
• Where crypto miners face prosecution, and likely persecution, by the country's consistently dictatorial and increasingly Marxist government.  (Coindesk)
  
  This makes sense.
  
  
  
• Progressive utopias are invariably miserable shitholes.  (The Atlantic)
  
  Nothing new here except the source.
  
  
  
• There is no HDMI 2.0, only HDMI 2.1.  (WCCFTech)
  
  They've done the same stupid thing as USB, where 3.0 got relabeled 3.1 Gen 1, then 3.2 Gen 1.  USB4 at least mandates the USB-C connector and 20Gb data transfers; it's backwards compatible but all USB4 devices must support at least 20Gbps.
  
  HDMI 2.1 supports variable refresh rates and HDMI 2.0 does not, but now that there is no HDMI 2.0 you have to stop and read the product manual - if you can even find one - to figure out if it's supported on any given display.
  
  This is known as progress.
  
  
  
• Attackers can get root access to Ubuntu desktop systems by crashing the login screen.  (Bleeping Computer)
  
  This is not good.
  
  Do not - ever - install the Linux desktop on a public server.
  
  
  
• Google has patched Chrome.  (Bleeping Computer)
  
  There's a thing.  They're not saying anything about the thing so you can assume that it's very bad.
  
  The update also patches 15 other things that have been discussed.  And are also bad.
  
  
  
• If your employer uses Kronos for payroll - and organisations including Tesla and and the San Francisco MTA do so - you might be in for a bad Christmas.  (Bleeping Computer)
  
  The servers at Kronos got breached and hit with ransomware.  Kronos is advising customers to

  evaluate and implement alternative business continuity protocols related to the affected UKG solutions.

  Which is a rather sesquipedalian way of saying that you're basically rooted.
  
  
  
• Speaking of rooted, Bluetooth.  (Bleeping Computer)
  
  Millions of devices have potentially insecure WiFi because the WiFi chip also implements Bluetooth.

  Bleeping Computer has reached out to all vendors and asked for a comment on the above, and we will update this post as soon as we hear back.

  In the meantime, and for as long as these hardware-related issues remain unpatched, users are advised to follow these simple protection measures:
  
  1. Encase your digital devices in concrete, dump the concrete in the ocean, and consider moving to another planet entirely.

  Evergreen advice.

Posted by: normal at Wednesday, December 15 2021 01:53 AM (LADmw)

Posted by: PatBuckman at Wednesday, December 15 2021 09:01 AM (r9O5h)

Hide Comments | Add Comment

• Hmm.  Remarkably little news today.  Nothing new has exploded and ruined the lives of sysadmins around the globe.  I think everyone is sleeping off the chaos of last week.
  
  I wish I was.
  
  
  
• Looks like that Log4j vulnerability first surfaced on December 1, a full week before anyone noticed.  (ZDNet)
  
  The idiot script kiddies using every server they can breach to mine crypto actually serve a useful purpose, in the same way that...  404 Analogy not found.  In the same way that Billy the mailboy showing up to work with a thousand bucks worth of bling alerts you to audit your system before Svetlana disappears with a couple of mill.
  
  
  

• Little JNDI Tables.
  
  
  
  
  A researcher hacked Apple - just a little bit - simply by changing the name of his iOS device.  The logs show that Apple's servers dialed out to his research server when his connection was logged, which would have let him run arbitrary code within Apple's datacenter.
  
  That's how bad this was.  That's how easy it was to exploit.  And it was everywhere.
  
  It could be that Apple's logging servers are isolated and can't do anything, but they're not as isolated as Cloudflare's, which were configured so they couldn't dial out at all.
  
  
  
• On the upside, there's this.
  
  
  
  
  Someone exploited a bug in a logging library to make a Minecraft server run Doom.
  
  
  
• New keyboard arrived.  Accidental jellybeans too.  Desktop shelving is now due next Monday rather than today, but whatever.  The second Dell laptop is now stuck in between "shipped" and "on its way" - I think systems bound for Australia are assembled in Singapore, so there's a period where they go into stealth mode where they've been shipped from the factory but tracking just doesn't update.
  
  Won't have time to do anything with it this week anyway.

Posted by: Tim Turner at Tuesday, December 14 2021 12:40 AM (n+R81)

Posted by: Rick C at Tuesday, December 14 2021 01:15 AM (Z0GF0)

Hide Comments | Add Comment

• A massive vulnerability in a Java logging library widely used in enterprise software caused utter panic at pretty much every major company in the world.  One commenter mentioned being in a Slack channel with three thousand other engineers all working frantically to patch systems.
  
  How much was the team of developers working to maintain this library being paid?
  
  If you guessed absolutely nothing you'd be very close.  (Christine.website)
  
  This is obviously unsustainable.  Trillion-dollar companies depend on this software and don't even think about contributing towards its upkeep.
  
  Open source software is supposed to be open.  It's not supposed to be free, because nothing is free.  If you're not paying for it up front, you'll be paying for it later on by diverting every engineer in your entire organisation two days while other critical issues go ignored.
  
  
  
• We're from the government.  We're here to help.  (CISA)
  
  The statement from CISA Director Jen Easterly on the Log4j vulnerability reads

  blah blah blah blah blah you should probably patch that blah blah blah.

  Thanks Jen. 
  
  The director of the US Cybersecurity and Infrastructure Security Agency has an MA in politics, philosophy, and economics from Oxford, which qualifies her for the job almost as much as you might think.
  
  
  

• What went wrong?
  
  Some idiots demanded that a logging library perform magic for them.  (Crawshaw)
  
  And once the magic was put in place, it couldn't be removed because that would break critical software.
  
  And there wasn't anyone to take the necessary time to push back, deprecate the feature, and eventually remove it, because they weren't getting paid.
  
  
  
  
  
  
• Cloudflare reports on the vulnerability and their response.  (Cloudflare)
  
  One important point is that they firewall all their servers for both inbound and outbound access.  If a server gets compromised but is blocked by default from accessing anything else, the damage is contained.
  
  With this particular exploit the payload was installed by dialling out to a malicious server, and if that connection was blocked, nothing happened.  The server got handed a bottle of poison pills but couldn't get the damn child-proof cap off.
  
  
  
• Future AMD GPUs could use stacked dies for cache memory and AI accelerators.  (WCCFTech)
  
  Maybe not the 2022 lineup, but this is likely to happen soon, for reasons.
  
  
  
• The reasons being that Moore's Law is ending - again - in 2028.  (LessWrong)
  
  At the 1.5nm node (which doesn't measure 1.5nm in any dimension but never mind that) planar scaling will likely stop.
  
  What will happen instead - and the linked article goes into all the details you could possibly want - is that chips will go 3D.  Flash storage already has, and it was a revolution.  Cell phone chips stack storage and memory on top of the CPU.  AMD is stacking cache on top of server CPUs, and Intel is wedging stacks of RAM into their supercomputer CPUs.
  
  One of the side effects of this is that chips will get cheaper.  Fabs - chip factories - are massively expensive, and only remain at the leading edge of technology for a couple of years.  If they lasted for twenty years instead of two - and the machines to make the machines for the fabs also lasted twenty years instead of two - prices would come down drastically.
  
  
  
• I want to see default RED.  (Reddit)
  
  While Amazon's systems were down all over the place - not just at US-East-1 but where the one critical Amazon-based service I look after runs in US-West-2 - their public monitoring systems were reporting everything was fine because the outage prevented the monitoring page from updating.
  
  Monitoring systems should autonomously go red if they can't update.
  
  
  
• Intel's new X710-T4L is a massive upgrade.  (Serve the Home)
  
  It's a quad 10Gbase-T card that uses a maximum of 14.2W with all ports running at full speed.  The previous model peaked at 28.9W.
  
  In fact, this model running at 10Gb uses less power than the previous model running at 1Gb.  That's a huge improvement because a core delaying factor in the rollout of 10Gb Ethernet has been the power requirements for running it over cheap twisted-pair cable.  (It uses less power over specialised cables or fiber, but the pricing is absurd.)
  
  The new version of the card is also $100 cheaper than the old one at $500.
  
  It's also out of stock everywhere because everything is.
  
  
  
• Except the QSW-M2108-2C which does seem to be available albeit in short supply.  (QNAP)
  
  I wanted a 2.5Gb / 10Gb managed switch for my lab buildout, but had planned to settle for an unmanaged model because I could find one that wasn't insanely expensive.  This is just what I wanted - 8 x 2.5Gb ports, 2 x 10Gb ports with both RJ45 and SFP+ connectors, and fairly solid management features including link aggregation and VLANs.
  
  Part of the function of the software lab I'm building is to simulate real-world faults, and being able to mess with the network under software control is a key part of that.
  
  They also have a 16-port model, but that's more than I need, twice as expensive, and out of stock.
  
  
  
• Managed 1Gb switches are a dime a dozen.  Well, not quite, but you can get them starting at around $35, a tenth the price of the cheapest managed 2.5Gb switches.
  
  
  
• A new FDA-approved eye drop causes red eyes and headaches.  (CBS News)
  
  Well, what the hell does it treat then?
  
  It treats reading glasses.
  
  If you're between 40 and 65 years old and need reading glasses (but not specifically prescription glasses) these eye drops can alleviate that need for six to ten hours.
  
  Since I do need prescription glasses (I have three pairs for distance, computers, and reading, plus a couple of spares) these won't do anything for me, but if you just need plain cheap reading glasses they could do the trick.
  
  
  
• Apple found a benchmark where the 2021 M1 Max MacBook Pro is faster than the 2019 Intel Mac.  (WCCFTech)
  
  Linus Tech Tips tested the M1 Max and found that while it did excel on one test, most of the time it was slower than an Intel-based notebook with an RTX 3050 - at about one third the price.
  
  That might change as they improve the drivers and software optimisation but right now it's a very expensive toy.
  
  I'll likely be getting a MacBook Air or an iMac to do Mac and iOS software testing for work, but I'll be getting the cheapest model I can get away with.
  
  
  

Party Like It's 1979 Video of the Day

Posted by: Will at Monday, December 13 2021 12:30 AM (8548M)

Posted by: David at Monday, December 13 2021 02:19 AM (kOkn4)

Posted by: Rick C at Monday, December 13 2021 02:42 AM (Z0GF0)

Posted by: Rick C at Monday, December 13 2021 02:48 AM (Z0GF0)

Posted by: normal at Monday, December 13 2021 11:05 AM (obo9H)

Posted by: Pixy Misa at Monday, December 13 2021 03:31 PM (PiXy!)

Hide Comments | Add Comment

• Hackers breached the payroll system for the South Australian government and got all of everyone's data.  (Bleeping Computer)
  
  Name, date of birth, tax file number, address, bank account details, employment, payment and tax data, everything, for up to 80,000 people.

  "Having the bank account details doesn't give you access to the bank account, but it's the first step in trying to crack a code in terms of passwords."

  In theory, sure.  In practice, not so much.  One YouTuber - I don't remember who it was - showed his bank account details on screen because you need the password to actually do anything.
  
  His account got cleaned out.
  
  The breach was at a commercial payroll provider, not the government itself, which means that the other 1700 organisations using the same payroll provider suddenly have a major headache.
  
  
  
• A security breach at Volvo resulted in the loss of their R&D data.  (Bleeping Computer)
  
  It's boxy, but good.
  
  
  
• Hackers also hit multiple government systems in Brazil, including those tracking vaccination programs.  (Reuters)
  
  The systems are currently offline, and it's not clear yet how extensive the breach was, or whether any data was stolen or deleted.

• I've been looking for some compact shelves for my new lab, which is made up of laptops and possibly some NUCs but probably not (see below).  I haven't been able to find quite what I want: Bookshelves are too bulky and most desk storage systems are for paper and will fit a 14" laptop but not a 16" one.
  
  Browsing around storage on Amazon I saw something that looked like what I needed and was cheap and shipped free in 48 hours, so I clicked through to it and then realised what it actually was: A shoe rack.
  
  Well, fine.  By Monday I'll have storage for 40 pairs of shoes or four laptops and the associated power supplies, external drives, switches, routers, USB hubs, audio mixers, speakers, and so on, whichever comes first.
  
  And, uh, another six bags of gluten free jelly beans, because I forgot I had those in my cart.  They have a shelf life of a year; there's no way they won't get eaten.
  
  
  
• Intel just EOLed Panther Canyon.  (Tom's Hardware)
  
  Panther Canyon is the regular range of Tiger Lake NUCs.  Tiger Lake is Intel's 1th generation, and there aren't any low power 12th generation chips yet, so that's the entire current lineup.
  
  I was originally looking to get three of the slim-line i5 NUCs, but then those disappeared.  Now the entire lineup has been cancelled.
  
  Asus makes an alternative with AMD CPUs, but I expect that will become hard to find once retail stock of the Intel model sells out.  So I'm looking at getting a third Inspiron 16 Plus.  It's twice as fast as the Intel NUC - eight cores rather than four - but since it also comes with an RTX 3060 and a 16" 3k screen it's more than twice as expensive.
  
  
  
• What happened at AWS US-East-1.  (Amazon)
  
  The control network used behind the scenes to manage all the other AWS services got overloaded.  Since the control network is used to manage the control network, that not only caused problems all over the place, it prevented engineers immediately fixing the problem.
  
  They had to find a way to redirect some of the traffic when the usual mechanisms for redirecting traffic weren't working, so that they could redirect more of the traffic using the usual mechanisms, so that they could fix the management network, so that they could fix AWS itself.
  
  That's why it took six hours.  There's a button to fix all this, but the button broke.
  
  
  
• Imagor is an image processing server written in Go.  (GitHub)
  
  I've written these things half a dozen times at this point, but it's nice to have one that I can just take off the shelf and deploy.
  
  It takes an image from somewhere (not sure yet if it only reads from upstream HTTP servers or can also read from the filesystem), and can resize, reformat, crop, rotate, blur, sharpen, adjust hue, brightness, and contrast, and overlay other images.
  
  The system we built at my day job does even more - it has its own scripting language to run arbitrary sequences of operations over tens of thousands of files - but for many applications Imagor will provide everything you need.
  
  
  
• An unfortunate alignment of bugs in Android and Microsoft Teams meant one user couldn't dial 911.  (Medium)
  
  They were calling on behalf of their grandmother and the grandmother had a landline phone so immediate crisis averted, but there's a fundamental problem with burying a very simple function in a ever-growing nightmare of complexity.
  
  
  
• An exploit of the Log4j Java library is an enterprise nightmare.  (Bleeping Computer)
  
  The library is developed by Apache an used by many Java-based Apache applications like Struts2, Solr, Druid, Flink - yes, these are all real - none of which I use, though Solr is interesting.  They are commonly used by small companies like Apple, Amazon, Cloudflare, Twitter, and Steam, so there are many, many sysadmins having a bad day yet again, because the bug is being actively exploited right now.
  
  
  
• And Minecraft.  (Bleeping Computer)
  
  If you run a public Minecraft server, update it right now.  The Java edition of the Minecraft client has also been updated but it's not clear if it's directly vulnerable.
  
  
  
• Elasticsearch, for once, is not vulnerable.  (Elastic)
  
  They use the Java Security Manager which prevents this attack.
  
  
  
• Here's the Apache announcement of the vulnerability.  (Apache)
  
  Note that I do not refer to this a bug.  It's not a bug.  It's a feature.  The Apache Log4j library is DESIGNED to allow the execution of arbitrary code.
  
  Good work there, guys.  Top notch.
  
  
  
• A new bill in the US Senate would force social networks to open their data to researchers.  (The Verge)
  
  Whereupon it would get hacked, but that's not the key point here.
  
  The key point is the penalty involved: If networks fail to provide this access, the bill would revoke their CDMA 230 protections.
  
  And once the idea is out there that those protections are contingent rather than fundamental, all the social networks are screwed.  I don't think the Democrats understand what they are doing; the social networks are their best - possibly their only - friends, but the they treat them as enemies.
  
  

Posted by: PatBuckman at Sunday, December 12 2021 01:03 AM (r9O5h)

Posted by: PatBuckman at Sunday, December 12 2021 01:07 AM (r9O5h)

Posted by: Pixy Misa at Sunday, December 12 2021 01:51 AM (PiXy!)

Posted by: StargazerA5 at Sunday, December 12 2021 03:01 AM (gJ4RY)

Hide Comments | Add Comment

• Dell has a new range of XPS desktop systems, using DDR5.  For some reason.  You can't buy DDR5 RAM anywhere, but you can configure a system on Dell's website with up to 128GB for an extra $1300.  And it doesn't change the delivery date, which is this time next month.  Whether that's realistic or not is an open question, but my latest Dell order left the factory a day ahead of schedule, so they seem to have some idea of the extent of the delays in their pipeline.
  
  But there's the question of how much faster memory actually helps and the answer is not much.  (Tom's Hardware)
  
  On a range of synthetic and real-world benchmarks, upgrading from DDR4-2666 to DDR4-4600 improved performance by about 5%.
  
  
  
• Gluten free nuggies and Special K are out of stock again.  But I do have eight pounds of gluten free jelly beans and jelly babies, since that order arrived unimpeded, along with that little mixer I mentioned and some audio cables for it.
  
  What hasn't arrived yet is my new keyboard, and the . key on the current one just required percussive maintenance again.
  
  

• AMD just released an update to their Linux drivers for Radeon 9500, 9700, and 9800 cards.  (Phoronix)
  
  Which came out in 2002.
  
  
  
• Speaking of Linux and AMD, the company just confirmed that their 4th generation "Genoa" server CPUs will support 12 channel DDR5 RAM.  (Tom's Hardware)
  
  Not by press release.  It's in their Linux kernel patches, the number one source for confirmed leaks these days.
  
  
  
• Australia's stupid federal government is debating new regulations for stupid social networks.  (ZDNet)
  
  The article makes my head hurt.  Everyone involved is both lying and stupid.
  
  
  
• Now they know how many holes it takes to fill the Albert Hall.  (Quanta)

  The first major advance on the Arnold conjecture took place decades later, in the 1980s, when a young mathematician named Andreas Floer developed a radical new way of counting holes. Floer’s theory quickly became one of the central tools in symplectic geometry. Yet even as mathematicians used Floer’s ideas, they imagined it should be possible to transcend his theory itself — to develop other theories in light of the new perspective that Floer opened up.

  Nope, no idea.

Party Like It's 1988 Video of the Day

Posted by: cxt217 at Saturday, December 11 2021 02:36 AM (MuaLM)

Posted by: DougO at Saturday, December 11 2021 04:06 AM (G1vK4)

Hide Comments | Add Comment