Sunday, August 29

Daily News Stuff 29 August 2021
Rocks Considered Harmful Edition
There's a hole in the Hololive English Minecraft server. It's claimed three lives - Kiara (twice) and IRyS, and nobody knows who created it.
So by the power of weaponised autism, the internet discovered the random seed used by the HoloEN server, recreated their game world in its original state, did a frame-by-frame analysis of all 173 Minecraft streams, narrowed down the creation of the hole to between the 9th and 12th of October last year, and blamed Ina.
Who says she is Ina-cent.
Rocks Considered Harmful Edition
Top Story
- I have a copy of the mee.nu system up and running on the new server. I do need to test more before switching over, since we're upgrading the versions of Python and the database server at the same time - but we're certainly getting there.
Expect things to be about twice as fast as before as well.
- Is Microsoft hiring State Department spokescritters to handle its communications?
You can't upgrade old hardware to Windows 11. Well, no, you can, but you have to do it manually rather than using the automated upgrade tool. Well, no, you can do it manually, but then you won't get any updates, ever. (PC World)
Wait...
No updates.
No updates.
Wrap it up, I'll take it.
Tech News
- You can't get the chips, you know: All sorts of integrated circuits are in short supply, not just huge expensive ones like GPUs. (Tom's Hardware)
I noticed recently that the new Asus Ryzen-based NUCs lack the headphone jack found on the old model. Today I discovered that so do recent units of certainy QNAP NASes.
It's not that they decided users no longer wanted audio output. They can't get the chips - or rather, the chips are prioritised elsewhere.
- Beware the benchmarks, they will lie: Upcoming Alder Lake desktop parts from Intel can draw up to 350W if the motherboard unlocks the power limits. (WCCFTech)
Motherboard makers like to do just that because it's an easy way to win benchmarks. Downside is it runs very hot and very loud.
AMD is not innocent of this trick but is not guilty to nearly the same degree.
- How Microsoft, Google, Apple, and IBM will help the US improve its cybersecurity. (Info Security)
Well, IBM hasn't been in the headlines with a giant security catastrophe in the past week, so they've got that going for them, which is nice.
- Microsoft's Cosmos DB security bug has been described as "the worst cloud vulnerability you can imagine". (Ars Technica)
Don't use cloud databases. Cloud servers, yeah, okay, though I still prefer to run my own. Cloud services, maybe. Cloud databases, hell no.
- What's Facebook been up to lately? I've been busy kicking Apple, Google, Twitter, Microsoft, Amazon... Oh, there we go: Facebook Messenger silently censors links in private messages.
I'm ready for my closeup, Mr Skynet. Just get it over with.
Unsolved Mythteries: The Hole In HoleEN Video of the Day
There's a hole in the Hololive English Minecraft server. It's claimed three lives - Kiara (twice) and IRyS, and nobody knows who created it.
So by the power of weaponised autism, the internet discovered the random seed used by the HoloEN server, recreated their game world in its original state, did a frame-by-frame analysis of all 173 Minecraft streams, narrowed down the creation of the hole to between the 9th and 12th of October last year, and blamed Ina.
Who says she is Ina-cent.
Disclaimer: Have you tried unplugging your Skynet and plugging it in again?
Posted by: Pixy Misa at
03:55 PM
| Comments (5)
| Add Comment
| Trackbacks (Suck)
Post contains 507 words, total size 5 kb.
1
A big national effort to improve cybersecurity will fail if it has incorrect premises baked into it.
Major national cybersecurity breeches have occurred directly because of 'Presidents' apparently cheated in by electoral fraud.
Throwing big software companies at it looks like a way to distract from starting at physical security and working on from hardware next.
Basic first step includes getting rid of the damned electronic voting machines, which is an appropriate task to plan and carry out at the local/county level.
Posted by: PatBuckman at Sunday, August 29 2021 08:03 PM (DHVaH)
2
Google has never had a security catastrophe. Those have all been failures of your expectations.
Posted by: normal at Sunday, August 29 2021 11:49 PM (obo9H)
3
After actually reading that absurd Info Security piece . . . there's a lot of High-Quality Stupidâ„¢ out there in the world. Amazon and Apple are going to make things more secure with a massive multi-factor authentication effort. So now the Chinese and Russian hackers will have everyone's biometric passwords in addition to all the other crap they've exfiltrated from these idiots's servers.
"Microsoft has committed $20bn over five years to drive security by design"
Ford Motor Company has committed $100bn over five years to drive transportation by design. Hasbro Inc has committed $15bn over five years to drive My Little Pony by design. Google has committed $400bn over five years to drive mental illness by design.
"Aside from these commitments, the White House announced the expansion of its Industrial Control Systems Cybersecurity Initiative, from the electricity sector to natural gas pipelines, and said the National Institute of Standards and Technology (NIST) would develop a new framework for supply chain security." Unplug the network cable, you idiots. Disable the network stack on critical systems. Build systems that don't have the capability of being remotely penetrated, and then make physical access extremely difficult, like putting guys with machine guns around it.
"Microsoft has committed $20bn over five years to drive security by design"
Ford Motor Company has committed $100bn over five years to drive transportation by design. Hasbro Inc has committed $15bn over five years to drive My Little Pony by design. Google has committed $400bn over five years to drive mental illness by design.
"Aside from these commitments, the White House announced the expansion of its Industrial Control Systems Cybersecurity Initiative, from the electricity sector to natural gas pipelines, and said the National Institute of Standards and Technology (NIST) would develop a new framework for supply chain security." Unplug the network cable, you idiots. Disable the network stack on critical systems. Build systems that don't have the capability of being remotely penetrated, and then make physical access extremely difficult, like putting guys with machine guns around it.
Posted by: normal at Monday, August 30 2021 03:23 AM (obo9H)
4
'security by design' is probably at least a semi-legitimate concept.
There's a bunch of 'design for x' sub-fields of engineering, like design for manufacturability, etc.
Engineering tries to solve problems by breaking them into bits that can be studied separately, and maybe by letting specialists work on each bit. Like, with an electric motor powering a propeller on a shaft, you have a solid mechanics guy thinking about the shaft, a fluid mechanics team thinking about the propeller, and none of the mechanical people are thinking about how electricity works. (Or maybe you have one guy that knows the fields well enough.) Obviously, designing a rotating pump, an internal combustion engine, and a circuit board are wildly different. But the design theory folks think they can condense common elements enough so that someone can read design theory, and read the specialized technical theory applicable to the type of device, and get somewhere without apprenticing under an engineer that knows how to design that type of device.
Security definitely has to be designed into software, and cannot be implemented afterwards. So, naively it would seem like 'design for security' could be legitimate. Two problems. One, you are limited in your options for security by the complexity of the rest of your design. So you could not design a system from scratch to be secure without already being a good designer of the type of system. Security design probably is not a skillset that stands on its own, and which can be learned as a stand alone field. Two, if you have a large private bureaucracy try to develop a field, it is going to come up with a bureaucratic body of knowledge, and you will have trouble applying it in a different organization, if you can even get the information and permission to use it.
Additionally, HR already does not understand software design skillsets, or how to hire software experts, and management does not understand how to tell good ideas from bad, or how to judge quality of work. So even a good example of a top down solution of this sort would be bad. You can get organizations to enthusiastically mouth the words, but you could not compel people to understand.
We would not have had the increase in industrial controls compromises if the effin' technocrats had not screwed things up so badly with covid alarmism. Industrial controls were not perfectly designed for security, but rapid implementation of covid compliance seems to have resulted in a bunch of holes being opened to allow for remote access.
Big thing for supply chain security: Do not let commie scum buy influence to promote their manufacturing.
Big thing for industrial security: Don't let the Democrats capriciously screw things up.
I have a lot of positive things to say about NIST. Thinking that any federal bureaucracy is the answer here is not a thing I would say.
Gen. Miley formerly ran the Army Research Lab. Some of the ARL folks were told after the GAO compromise, that self driving military vehicles were a bad idea unless they could prevent a reoccurance of such leaks. ARL folks promised that measures would be taken. Then Gen. Miley failed to Boogaloo against Biden, and now we have the current theatrical pretense, which is the early stages of allowing for further security compromises, preventable compromises, by everyone from the PRC to particularly incompetent mid east terrorists.
There's a bunch of 'design for x' sub-fields of engineering, like design for manufacturability, etc.
Engineering tries to solve problems by breaking them into bits that can be studied separately, and maybe by letting specialists work on each bit. Like, with an electric motor powering a propeller on a shaft, you have a solid mechanics guy thinking about the shaft, a fluid mechanics team thinking about the propeller, and none of the mechanical people are thinking about how electricity works. (Or maybe you have one guy that knows the fields well enough.) Obviously, designing a rotating pump, an internal combustion engine, and a circuit board are wildly different. But the design theory folks think they can condense common elements enough so that someone can read design theory, and read the specialized technical theory applicable to the type of device, and get somewhere without apprenticing under an engineer that knows how to design that type of device.
Security definitely has to be designed into software, and cannot be implemented afterwards. So, naively it would seem like 'design for security' could be legitimate. Two problems. One, you are limited in your options for security by the complexity of the rest of your design. So you could not design a system from scratch to be secure without already being a good designer of the type of system. Security design probably is not a skillset that stands on its own, and which can be learned as a stand alone field. Two, if you have a large private bureaucracy try to develop a field, it is going to come up with a bureaucratic body of knowledge, and you will have trouble applying it in a different organization, if you can even get the information and permission to use it.
Additionally, HR already does not understand software design skillsets, or how to hire software experts, and management does not understand how to tell good ideas from bad, or how to judge quality of work. So even a good example of a top down solution of this sort would be bad. You can get organizations to enthusiastically mouth the words, but you could not compel people to understand.
We would not have had the increase in industrial controls compromises if the effin' technocrats had not screwed things up so badly with covid alarmism. Industrial controls were not perfectly designed for security, but rapid implementation of covid compliance seems to have resulted in a bunch of holes being opened to allow for remote access.
Big thing for supply chain security: Do not let commie scum buy influence to promote their manufacturing.
Big thing for industrial security: Don't let the Democrats capriciously screw things up.
I have a lot of positive things to say about NIST. Thinking that any federal bureaucracy is the answer here is not a thing I would say.
Gen. Miley formerly ran the Army Research Lab. Some of the ARL folks were told after the GAO compromise, that self driving military vehicles were a bad idea unless they could prevent a reoccurance of such leaks. ARL folks promised that measures would be taken. Then Gen. Miley failed to Boogaloo against Biden, and now we have the current theatrical pretense, which is the early stages of allowing for further security compromises, preventable compromises, by everyone from the PRC to particularly incompetent mid east terrorists.
Posted by: PatBuckman at Monday, August 30 2021 06:29 AM (DHVaH)
5
'security by design' is probably at least a semi-legitimate concept.
Except in Microsoft's case it would require scrapping everything and starting over. I mean: it's not secure (by design because it was never intended to be so), and you can't make it so just by saying so. If you try to start from secure by design concepts you'll pretty quickly end up at "no one will use this" or "we're lying and just suck it up because it will never be secure".
Except in Microsoft's case it would require scrapping everything and starting over. I mean: it's not secure (by design because it was never intended to be so), and you can't make it so just by saying so. If you try to start from secure by design concepts you'll pretty quickly end up at "no one will use this" or "we're lying and just suck it up because it will never be secure".
Posted by: normal at Tuesday, August 31 2021 11:41 AM (obo9H)
58kb generated in CPU 0.0139, elapsed 0.0976 seconds.
58 queries taking 0.0894 seconds, 334 records returned.
Powered by Minx 1.1.6c-pink.
58 queries taking 0.0894 seconds, 334 records returned.
Powered by Minx 1.1.6c-pink.