Happy New Year!

by Bryan

24 comments

1 oldwhitelady { 01.01.18 at 4:55 pm }

Happy New Y ear, Bryan! Good should win out! I just hope it happens sooner rather than later.

2 Bryan { 01.01.18 at 5:00 pm }

It’s getting a bit concerning as to how long it’s taking, but we may have triggered a big enough reaction this year to finally tip the scales towards the good.

3 Kryten42 { 01.03.18 at 3:29 pm }

Well… So far, so good… Kinda. Apart from the ongoing political crap, there’s this:

A Huge Intel Security Hole Could Slow Down Your PC Soon

I have the patch for my Linux & it does indeed slow my system about 4% on normal use, a little higher on heavy use, & significantly higher on heavy network use (using internet & accessing NAS). I expect Win10 to be worse when the patch is released.

I don’t know when Apple will have an OSX patch out.

Yayyyy Intel. *sigh*

4 Bryan { 01.03.18 at 9:34 pm }

I won’t notice much on the Win 10 machine. It loads so slow now that a little slower would be undetectable without test software. I don’t know if people are getting better at finding vulnerabilities or or people are getting sloppier in their designs. It’s probably a combination of both.

5 Kryten42 { 01.04.18 at 6:00 pm }

I understand. 🙂

Apparently, it’s even worse than originally thought. There are actually two major flaw’s, one that affects CPU’s other than Intel’s major Core series of the past decade. Here’s the updated article:

How Will the Meltdown and Spectre Flaws Affect My PC?

6 Kryten42 { 01.04.18 at 7:09 pm }

My security mail feeds have been busy regarding this for a few Months now! I’ll summarize the highlights:

Working with various linux/SW/HW vendors, the conclusion is that the primary issue with Meltdown is that an attacker can locate and read kernel memory that contains valuable information an attacker can use. The major problem is this essentially renders ASLR (Address Space Layout Randomization) useless. The current fix is to remove the kernel from the process memory map, which requires a full context switch that will take significantly more time to perform. When the kernel is mapped into the process address space, it only requires a simple call to access. But with the kernel removed from the process address space, it now requires a slower switching of address spaces. Although the performance hit varied, performance degradation was up to 60% for some applications, especially those using hardware interrupt handlers.

This has caused serious issues @ Prometeus/IWstack as it’s not a simple task to reboot many servers, especially in a distributed cloud network! It’s a complex process, especially when client’s will be affected (as badtux doubtlessly can attest).

M$ have a Win 10 patch, but Windows Update doesn’t have it to download nor does the Update Catalog have it available for manual download yet.

It appears M$ added a way to disable the patch via a registry key. The consensus is that the only ones to benefit from this are certain Government agencies, who may have at least known of this flaw for some time, & hackers.

Google’s Project Zero have discovered three variants and reported them to Intel, ARM & AMD on June 1st 2017:

Project Zero: Reading privileged memory with a side-channel

The Project Zero report above get’s quite technical. There is a somewhat easier to understand discussion & Q/A (with in depth PDF’s available for download):

Meltdown and Spectre

Fun times… again!

7 Kryten42 { 01.04.18 at 8:25 pm }

Addendum: I meant to add that M$ will only be releasing security updates for non-EOL OS’s. I made a list of all systems a fix is available for as far as I know:

Windows 10 / Server 2016 v1709 : KB4056892
Windows 10 / Server 2016 v1703 : KB4056891
Windows 10 / Server 2016 v1607 : KB4056890
Windows 10 v1511 : KB4056888
Windows 10 Initial Release : KB4056893
Windows 8.1 / Server 2012 R2 : KB4056898
Windows Server 2012 (EOL) : N/A
Windows 7 / Server 2008 R2 : KB4056897
Windows Vista / Server 2008 (EOL) : N/A
Windows XP (EOL) : N/A

macOS High Sierra : macOS High Sierra 10.13.2
macOS Sierra : Security Update 2017-002 Sierra
macOS El Capitan : Security Update 2017-005 El Capitan

Linux (Debian-based) : Run sudo apt update && sudo apt upgrade -y, then reboot.
Linux (Fedora/RHEL-based) : Run sudo yum update, reboot, run sudo dnf –refresh update kernel, reboot again.
Linux (Amazon Linux on AWS) : Run yum update kernel && reboot.
Linux (Arch) : Run pacman -Syu && reboot .
Linux (other) : Check repository to see if updates have made their way downstream.

Android : A security update will drop today (2018/01/05).

8 Bryan { 01.04.18 at 9:27 pm }

Meltdown only affects this box, which I use daily, the only box with an Intel processor, but Spectre hits all of my boxes. The only saving grace is that Spectre exploits are hard to implement. Now I want someone to convince me that NSA and the other members of the Five Eyes haven’t known about Meltdown for a decade and declined to mention it as it was so useful for obtaining passwords.

Of course that is just the native paranoia of a former member of the ‘club’. It would be nice if at some point NSA remembered that one of its two major missions is to harden the US networks against attacks.

9 Kryten42 { 01.04.18 at 9:46 pm }

I’ve commented before Bryan, that it would have been a true pleasure working with you *back in the day*! 😉 😀

Here… We all deserve a laugh! You probably know about Michael Wolff’s book “Fire and Fury” that was due to be launched across the USA next week, And Dotards stupid legal attempt to block publication? Thanks to Dotard, the Book will be available from tomorrow now. 😆

Tell-all book on Trump to be released early despite White House legal effort

I’ve pre-ordered a copy from Amazon! I suspect it’ll be the Worlds biggest seller for 2018! 😆 😆

🤣😏Perfect! A sane person might think Dotard & his WH sycophants would learn the Law by now! They’re experts at running afoul of it often! Morons are running the USA. Can’t wait to read the book!👍🏾

10 Bryan { 01.04.18 at 10:18 pm }

I guess the real power of the book is that Wolff had his tape recorder with him for many/most of his interviews, so it will be difficult to claim that you didn’t say what is on the tape, unless you are Trump who thinks what he says overrides reality.

The Federal courts take a dim view of requests for ‘prior restraint’. Their general view is print it and then we will all see whether or not it should have been printed. The First Amendment to the Constitution still has a lot of support.

Not for nothing, but the only button on Trump’s desk calls a steward to bring another Diet Coke. The process to launch a nuclear strike is not as simple as some people seem to believe. If it was just a button, you wouldn’t have a military officer with a brief case shadowing the President everywhere.

To get competent legal representation you have to pay your lawyers. Trump’s record of not paying is why no major DC law firm will represent him.

11 Kryten42 { 01.06.18 at 5:14 am }

An awesome piece was published in GQ by Drew Magary, who really despises Wolff as a Journalist, as do many. But he does hit the nail in this money quote:

He did it by sleazily ingratiating himself with the White House, gaining access, hosting weird private dinners, and then taking full advantage of the administration’s basic lack of knowledge about how reporting works. Some of the officials Wolff got on tape claim to be unaware that they were on the record. Wolff denies this, but he’s very much up front in the book’s intro about the fact that he was able to exploit the incredible “lack of experience” on display here. In other words, Wolff got his book by playing a bunch of naive dopes.

Thank God for that. Wolff has spent this week thoroughly exploiting Trump and his minions the same way they’ve exploited the cluelessness of others. And he pulled it off because, at long last, there was a reporter out there willing to toss decorum aside and burn bridges the same way Trump does.

And Dotard Tantrums response was entirely predictable & Twitter is almost having a hilarity meltdown! 😆

Michael Wolff is a total loser who made up stories in order to sell this really boring and untruthful book. He used Sloppy Steve Bannon, who cried when he got fired and begged for his job. Now Sloppy Steve has been dumped like a dog by almost everyone. Too bad!

Michael Wolff Did What Every Other White House Reporter Is Too Cowardly to Do

12 Bryan { 01.06.18 at 3:38 pm }

Michael Wolff is a known quantity so a professional communications operations for a real politician would avoid him like the plague. OTOH when you have a “celebrity” organization that is based on public relations, a group that believes that getting the “brand” mentioned is good for the bottom line, and a writer with absolutely no qualms about sucking up to the targets, this is going to happen. The Arabs played him, the French played, the Chinese played him, and most of all the Russians played him. Trump was primed for Michael Wolff by Fox News. Wolff acted like a Fox reporter and the Trump organization acted like a golden retriever that was just told he was a ‘good boy’.

As I mentioned on interviews – just let Trump be Trump and report exactly what he says in his 11-year-old’s English. Of course, the average 11-year-old has a much larger vocabulary than Trump.

13 Kryten42 { 01.06.18 at 7:55 pm }

Yes. 🙂

Here’s another great article in the Atlantic by David Frum:

Donald Trump Goes Full Fredo

The money quote here I think is:

It may not be the newsiest—arguably it is the least newsy—but the most important moment in Wolff’s book are words attributed at second or third-hand to Senate Majority Leader Mitch McConnell at the time of Donald Trump’s election. “He will sign anything we put in front of him.”

And this:

What sustains Trump now is the support of people who know what he is, but back him anyway. Republican political elites who know him for what he is, but who back him because they believe they can control and use him; conservative media elites who sense what he is, but who delight in the cultural wars he provokes; rank-and-file conservatives who care more about their grievances and hatreds than the governance of the country.

14 Bryan { 01.06.18 at 9:51 pm }

Something just occurred to me. I have known a lot of illiterate adults, mainly down here, but in other parts of the US. Rather than admitting their problem, most will learn to ‘draw’ their signature. They don’t really understand about individual letters or the difference between upper and lower case, but they produce a small piece of graphic art when they need to sign. That’s what Trump’s signature reminds me of, a drawing not a signature. It is huge and he displays it for people to see like he was in kindergarten.

Given all of the money that his father had available to get him admitted to schools and university, I’m starting to wonder if he is literate. I read today that he actually dictates his tweets to Hope Hicks who then gives them to the White House Twitter typist.

15 Kryten42 { 01.07.18 at 12:26 am }

There was a Mother Jones investigation in 2015 about whether he sends his own tweets. Updated in 2016:

Does Donald Trump Send His Own Tweets? An Investigation

And yes… I’ve dealt with semi-literate & illiterate people in Sheltered Workshops I managed for a few years. The difference being, they didn’t want to be that way and wanted to be productive. Many had learning disabilities. Almost all ended up overcoming their issues & being wonderful employees. I was proud of them. I’d have kicked Dotard out the door after a couple weeks. Maybe less.

16 Bryan { 01.07.18 at 11:29 am }

I’ve used ARC [Association for Retarded Citizens was the original name, but now just The ARC] for years to supply services and the teams did a great job with attention to detail that most “for profit” businesses didn’t provide. The ARC members separated the recycle stuff from other debris and were really pleased when you told them they could redeem it [$.05/can or bottle in California at the time] when the cleaned up around the outside of the office and parking lot.

Most of the illiterates I have encountered left school to go to work early. They or their parents never saw the point of ‘book learning’. Later they learned how to fake literacy with dodges like drawing their signature to get jobs. My Mother would fill out checks for customers when she worked at the local grocery store and the customer would ‘sign’ them. Trump is faking it. He recognizes his name on the summaries he’s given, and that’s about it.

Trump depends on lawyers, accountants, and kids to do the reading. He is the bullshitter-in-chief, the master-of-ceremonies, the presenter. He has a core vocabulary that is barely into 3 digits.

17 Kryten42 { 01.07.18 at 8:12 pm }

Yes. Agree with all.

I discovered that they were very good at repetitive tasks. At first, we made wiring looms & harnesses & it’s amazing how exact they were! And every one was near identical and in 2+ years never had a defect. Eventually, we had a few that became very skilled with a soldering iron. They didn’t really understand electronics, though some did learn the basics and understood. They were excellent @ “This resistor with these colored bands goes here!” etc. I remember well the first small boards they assembled with 8 components, and their nervous looks as I examined them. I tell you… the soldering and attention to details was incredible! I gave them all big hugs & told them how impressed I was! Then took them all to lunch at their favorite lunch shop where the owner & staff loved them and made their sandwiches or meals exactly they way they liked them!

Damn! I truly miss that! The Gov. killed the programs stating we were exploiting people with disabilities! We fought for quite some time, but couldn’t win. of course, what it was really abouit was their donors complaining we were stealing their work, where they WERE exploiting their employees, by offering much better work at better prices. We even had some large Aus. companies on our side who loved the work & they helped fund the campaign. But we lost.

Some people can be good Humans. And some are just plain evil bastards that need a bullet!

18 Kryten42 { 01.07.18 at 11:22 pm }

Well… this New Year sux so far. I just found out that Ron Tandberg died of cancer. I didn’t even know he was ill! I’ll miss his awesome toon’s!

And another one gone…
Rest, in Peace Ron Tandberg! You helped keep the World sane.👋🏾😔

19 Bryan { 01.08.18 at 11:53 am }

The first half of January is always overloaded with deaths. People hold on through the holidays, and then give up. They don’t want to spoil Christmas for their family and friends, but use up everything they had in reserve doing it.

The government uses the forced labor of prisoners for the benefit of private businesses, but non-profits are “exploiting” the disabled by providing useful employment and job skills. Politicians would rather they were vegetating on disability pensions than paying taxes and creating assets for the economy.

I’ve heard that crap my entire life – business can’t compete against government, but business is more efficient than government. If business was really so GD efficient they could compete against anyone, and if government was so damn sloppy why does it cost us so much more when a government function is privatized 😡

20 Kryten42 { 01.10.18 at 12:02 am }

RW Gov’s have the scam down pat.
1. Defund the Gov. Social Service or whatever department they want to privatize & appoint someone purposely incompetent to run it. Also make it expensive to fix!
2. Eventually, public outcry over the terrible service will allow the Gov. to say that the only fix is to hand it to private business.
3. pocket their reward!

Looks like Florida is becoming a great place for you to be with your Russian Language skills Bryan! 😉 😀

Birth tourism brings Russian baby boom to Miami

Though, I suspect it’s been happening for some time, it appears to have increased significantly the past year as Russian women are becoming more aware of the 14th amendment rights.

Conrat’s! You may become an *Uncle*! 😜😏

21 Kryten42 { 01.10.18 at 12:48 am }

Drat! Just remembered I mean to post this when we were discussing the new Firefox Quantum. basically, I dumped it after a week because Mozilla have become worse than Google at collecting & profiting from your info (I’d thought it almost impossible for anyone to be worse than Google @ that)! Much of the tracking/security issues can be disabled if you know how to use the “about:config”, one of the thigs I do like about Firefox (but the con for Mozilla is they don’t make it easy to find this info).

The best project I’ve found so far for configuring and hardening Firefox privacy, security and anti-fingerprinting:

An ongoing comprehensive user.js template

There’s another (slightly outdated) list of tweaks collated here with more detailed info, with an appropriate title 😉 😆

Firefox bullshit removal

Also found a good alternative FF browser fork with all the “pro’s”, few of the “CON’s”!

Basilisk is a free and Open Source XUL-based web browser

22 Badtux { 01.10.18 at 2:06 am }

The Firefox “bullshit removal” link will basically render our application unusable. For example, we use websockets to provide responsive dashboards. That way you can open up a view of your network that has icons for every device on it, and when a device goes offline or has issues that need looking at, it turns from green to yellow or red (depending upon the severity of the issue — for example, if a video recording server is losing frames as it saves video to disk due to network or disk congestion, it might just go to yellow). If we didn’t use a websocket, we’d have to refresh the page every 30 seconds or so, which would be a lot more database hit than sending a rabbitmq message from the server that’s setting the status to the UI servers that are serving the data saying “the status of device X that you’re subscribed to has changed”, which just hits the database for the status of device X. (UI servers on the other end of the websocket subscribe via rabbitmq to the things they’re displaying, and the status update / alert servers look for rabbitmq subscriptions on devices whose status they’re changing or issuing an alert on). With the subscription / websocket mechanism, only status changes result in database traffic — as versus every 30 seconds having to look up the status of hundreds of devices in the database.

Various other settings he advocates changing would similarly render our service unusable. It appears that his beef is with modern web UI design, not with security. Websockets to https URL’s can only go back to the site that served the page to begin with, so it’s not as if they can inject things into other pages or be used to snoop on other pages. Not if you have the security set up correctly on your browser to prevent cross-domain attacks upon https connections, anyhow….

23 Kryten42 { 01.10.18 at 2:21 am }

I generally assume most people here will only use the *tweaks* that are appropriate for them. And it’s not difficult to try something & change it back if it doesn’t work for your needs.

One reason I prefer Basilisk or other Open-Source XUL-based browsers. I rarely have to change any such settings as they are either appropriately set by default, or the particular *problematic design* issue isn’t part of the build.

It doesn’t really bother me as I only surf via my hardware VPN/Firewall to a few strategic sites Globally with carefully crafted rules about what can & can’t pass! If I find a site that has a problem with that, I research why & if appropriate, tweak the rules to account for it, or find another site. I also have scripts for some sites I need to use that inject false information they don’t need to actually know to work appropriately (like PayPal, though their privacy support has surprisingly been improving). Google, on the other hand, get’s a lot of garbage from me & many others I know. I wouldn’t believe most of their stat’s if I were an advertiser. 😆

24 Bryan { 01.10.18 at 10:37 pm }

Every move has unintended consequences. I shifting more of my activity to Opera which has a free VPN included. It seems that every time I find something useful, the developers decide to turn to the dark side and screw up their creation.