Wednesday, September 08
Water In The Fire Edition
- WhatsApp - the secure end-to-end encrypted messaging app - isn't quite. (Gizmodo)Says WhatsApp:
We canâ€™t read or listen to your personal conversations, as they are end-to-end encrypted. This will never changeOn the other hand, if someone reports you for misconduct, WhatsApp's moderation team can see your messages.
You need to read past the scary headline and get into the details before you find out what's going on: Someone pressing that report button sends the decrypted messages from you straight back to WhatsApp. It has to work that way, or you'd have no way of handling complaints. But it means - and this should be obvious anyway - that no matter how secure the channel, if the person at the other end can't be trusted, you have no security at all.
Think of WhatsApp as a room full of classified documents and the report button as Bradley Manning.
- Or think of WhatsApp as a McDonald's Monopoly contest and the report button as a database connection error. (Bleeping Computer)
One thing I learned long ago is if you're lazy and hard-code database connection parameters in some pre-production code, make sure they're assigned to variables well outside any potential stack trace. Because if you put them right in the connection call, and you forget that debug mode is enabled on the application server, and the pre-production code gets rushed into production - all events with a 95% or better probability - then the first time you have a connection error every single user will see your database password.
Of course your database should be locked to your internal network and firewalled both locally and at the network boundary, right? And you wouldn't also leak the login credentials for the server itself. Nobody would be that silly.
- IBM's Power 10 CPUs are on their way. (AnandTech)
15 cores with 8 threads per core on each chip, and two chips per socket. 30MB L2 and 128MB L3 cache. 1TB memory bandwidth per socket, 1TB of inter-socket interconnect, and 512GB of PCIe 5.0 for I/O.
Just don't ask how much it costs.
- The SEC is suing Coinbase over its Lend program which doesn't even exist yet. (Coinbase)
The SEC asked the crypto industry to provide information on upcoming projects so that the SEC could provide regulatory guidance. Coinbase - the fools - took them at their word. And now the SEC has filed notice of intent to sue Coinbase, over a product that doesn't exist, without at any point before or since saying what the substance of the complaint is.
- GitHub creates useless garbage merges. (Kernel.org)
It's just Linus Torvalds spouting off again. It's not like he invented Git or anything.
- Hacking hackers hacked the Jenkins project's Confluence server... And used it to mine Monero. (Bleeping Computer)
This could have been a crippling supply-chain attack, because Jenkins is widely used to automate software testing.
Fortunately for us all, the hackers were idiots.
- Intel is spending $80 billion on two new chip plants in Europe. (Thurrott.com)
You might well ask why not in the US, and the answer is they are already expanding all their facilities in the US and building a huge new facility in Arizona as well.
They're betting that demand for semiconductors isn't going to decline any time soon - and hedging against the possibility of disruption in the Far East. Even short of a war, China could cause significant mischief.
- Almost forgot this one. We've used two monitoring services at my day job - Datadog and StatusCake. (I also use StatusCake for my own servers.)
The monitoring agent for Datadog is a 750MB install that includes its own version of Python. I have no idea what is going on in there; it's completely unauditable and I consider it a supply chain attack waiting to happen.
The monitoring agent for StatusCake fits on one page. I read through it, passed it on to our new sysadmin, he read through it, and we shrugged and are going to install it on all our servers.
Not everything needs to be an avalanche of crap.
Over at accordingtohoyt, one of the semi-regulars is a little involved in finance. Recently, he has been pretty concerned about Evergrande.
Just checked for an update, and he says Evergrande has defaulted, and he doesn't understand what is happening, because their stock closed up.
Posted by: PatBuckman at Thursday, September 09 2021 12:44 AM (r9O5h)
Posted by: Pixy Misa at Thursday, September 09 2021 12:18 PM (PiXy!)
Posted by: The Brickmuppet at Thursday, September 09 2021 03:37 PM (SjASx)
Either version 2013 or 2018 (can't remember which) stopped being able to support the ext2/3/4 partitions properly. Instead of backing up the files and ignoring the blank space, it instead insisted on backing up the entire partition (sector by sector, blank space included) and trying to compress all of that. The partition image files for ext2/3/4 partitions were thus huge, slow to make, and slow to restore. I don't know why this change was made, but performance and time required to deal with linux partitions became an awful experience.
It might have been the 2013 version that the problem manifested in, and 2018 was only purchased to see if they'd fixed things (they hadn't) and I started using the open source CloneZilla shortly after that. It's not the most user friendly UI but it does things properly, and that's all I really ask.
I don't even look at Acronis' products anymore, as a result.
Posted by: Grumpy and Recalcitrant at Thursday, September 09 2021 11:41 PM (nRMeC)
Posted by: StargazerA5 at Friday, September 10 2021 10:47 AM (AnIjE)
58 queries taking 0.1173 seconds, 338 records returned.
Powered by Minx 1.1.6c-pink.