Posts by sweh

Re: "Perlod's guidelines seem reasonable"

2xRAM never applied to Linux (nor Solaris 2); it's an old BSD (hence SunOS 4) thing where if you had nMB of RAM then you needed nMB of swap as backing store, so 2nMB swap resulted in a total of 2nMB of virtual memory (if swap was smaller than RAM then you couldn't even use all your RAM). Yuck.

So to match the old SunOS rule-of-thumb of "swap = twice RAM" then you'd have "swap = RAM" to get the same effective result. But that's from back when memory was small; 4Mb of RAM was luxury. Now we have gigs of RAM; do we really want to be doing slow slow slow swapping of gigs to disk?

It gets even more complicated. Old school swapping doesn't really happen these days; it's pretty much all paging ("swapping" used to mean placing a whole process into swap; "paging" works at a memory page level). Paging is more effective because it means a program could still be running and doesn't need to page back in the swapped out pages if it never touches them. Note, though, that we still call it "swapping in/out pages of memory" so the terminology is less than clear :-) But this means that really infrequently used pages of memory can be thrown away from memory and placed into swap with pretty much zero performance impact; they might never be used again!

If gets yet even more complicated when we look at demand paging of applications; even apps don't get loaded into memory in one chunk, the pages get loaded in as needed. Processes can start faster, less RAM is used and it makes shared pages (eg common pages of libc that might be in many processes) even more efficient (it's already in RAM). It also means that the kernel could just _drop_ pages (don't send them to swap) and reload them from the original executable if the page is ever needed again.

And then we run into what failure mode you want to tolerate. For some people having the OOM kill a process and generate a hard failure is sometimes more preferable to reduced performance ("why is it taking me 10 seconds just to get the login prompt on the console? Oh, the machine is swapping to death..."). Think of a cluster of web servers behind a load balancer; having the webserver die (and so drop out of the load balancer much much quicker) might be preferable to having it take forever to respond to an API request (a load balancer health check might succeed where an API call might time out because that needs more backend resources).

So how much swap do you need? It depends :-)

Re: OCCAM and Transputers

Yeah, my first login was October 1987, and in 1990 I was supporting Ultrix, SunOS 4, Xenix, Altos SVr2 and SVr3 systems, and Convergent Technologies CTIX (which I think was a SVr3 version).

When Linux became a viable OS (as opposed to the 0.11 root+boot disks which were a fine proof of concept) I only went with it rather than BSD because the NetBSD install of the time didn't understand PC partitions so I couldn't dual-boot between it and DOS. I lucked into the right path :-)

Re: Ah yes, 6-Sigma.

I got caught out on that, once. The ISO9000 audit failed us for our backups. Not because our backups were bad, but because they _exceeded_ what we'd documented (we had an extra verification step in the process that we hadn't documented). Such a PITA.

BIOS Boot process

> The legacy-BIOS boot process requires more than just that: it also needs a boot sector

It very much also depends on the boot medium.

The first sector of the hard disk (the Master Boot Record - MBR) contains the primary boot loader, along with the definitions of the 4 primary partitions. In the old DOS days this code could be created with "FDISK /MBR". At power on time the BIOS would read the MBR sector (signature, code, partition table) into memory then execute it.

It was then up to those 440-ish bytes of code to find (from the in-memory partition table) the secondary boot loader for the active partition. This was generally the first few sectors of that partition and was OS specific. The DOS loader would know enough to find IO.SYS and COMMAND.COM; all this could be written with the "SYS" command. More complicated loaders, such as LILO and then GRUB could do a lot lot more.

A floppy disk boot skipped that MBR process ('cos no partitions) and went straight to the OS specific boot loader, loading from the first sector of the disk. As you noted, older Linux kernels had this boot loader code at the beginning so it could be raw-written to a floppy. eg the 0.11 boot+root disks; the boot disk held the boot sector and the kernel, and then you switched that out for the root disk once the kernel had loaded.

All these sectors were loaded in using BIOS calls, and in the early days the C/H/S definitions led to the 500MB limit for the C: drive (although older DOS - eg 3.3 - had a 20MB limit, anyway); it wasn't until LBA mode came along that we could handle larger disks. The LILO secondary files all had to live within that first 500Mbyte of disk 'cos it still used the BIOS to load them, hence the common setup of having /boot being a separate partition at the beginning of the disk when dealing with larger disks.

Really old PCs couldn't boot from CD and hadn't even heard of USB :-) That's why the older Windows CD also came with a boot floppy!

Re: Always looking the wrong way at the wrong thing.

This is where things get complicated. If you used corporate Exchange servers in 2010 then it also came with a (really bad) version of OWA; Outlook Web Access. It did the barest minimum necessary for a web based mail/calendar but it really wasn't a replacement for the fat client.

outlook.com, as a web service, didn't start until around 2013 ( https://news.microsoft.com/source/2013/02/18/microsoft-officially-launches-outlook-com/ )

So it's very possible that a user in 2010 using the Outlook application was using it as a POP3 client (IMAP if they were lucky) to another mail service.

Re: Too much in us-east-1

Never use the "server side encryption" (SSE) function of things like S3 because they are totally dependent on the Cloud Service Provider's (CSPs) tooling and the data is processed unencrypted on the CSP infrastructure. I made it a hard requirement for storing sensitive data in the cloud; S3 SSE was necessary for all class of data, but insufficient for sensitive data.

For that we also use "client side encryption".

In this, the keys need not be stored "in the clear"; they can be stored in HSMs (even on-prem HSMs), and pulled into compute memory for use in encryption/decryption. Good software even fragments that key throughout memory so it's not contiguous and need not even be in the same locations during an execution.

Is this impossible to break? No, but it would require the CSP to take a memory snapshot of your machine and then try to find where the fragments exist and reconstruct the key. Or perhaps try and find the credentials to the HSM and spoof network traffic with the necessary identity to get the HSM to release the keys.

This is an active attack and a LOT different to the CSP handing over of keys they possess to the authorities.

Re: (larger) US pint

Note that a US floz is larger than a UK floz (29.6ml vs 28.4ml) so you can't directly compare 16 to 20.

It's better to convert to a common unit (metric, in this case) where a US pint is 473ml, vs a UK pint of 568ml; this makes it clearer that a UK pint is "only" 20% larger than a US pint and not the 25% you might expect due to floz counts.

Re: Such awful interop

[clarkson]POWER![/clarkson]

No docker needed

It's trivially simple to extract the minimum necessary files from the container and run this "native". You don't even need docker engine to do the extract.

Even better, they document the process at https://github.com/dani-garcia/vaultwarden/wiki/Pre-built-binaries using the docker-image-extract script

AAD is not AD

Entra ID is the new name for "Azure Active Directory" (AAD). AAD was not "Active Directory" (AD) in anything except name; it was a totally different technology. They used the name for marketing reasons, and it probably got a few people to migrate from on-prem AD to AAD.

Re: The age old problem

"And amazingly C++ for DOS, UNIX, Xenix etc was available by 1987. Linux Kernel 1st release was 1993."

FWIW, Linux kernel 0.11 was 1991, 0.95 (where it was going mainstream and early distros appearedl e.g. https://en.wikipedia.org/wiki/MCC_Interim_Linux#Version_0.95c+) was 1992, 0.99 was end 1992; 1.0 was 1994.

There _was_ an attempt to allow C++ in the kernel in the past but it was pretty much abandoned 'cos the state of the compilers weren't that good and Torvalds was not a fan of the language; https://lkml.org/lkml/2004/1/20/20

Re: Colossus

Or even the film ("Colossus: The Forbin Project", 1970).

"This is the voice of world control. I bring you peace. It may be the peace of plenty and content or the peace of unburied death. The choice is yours: Obey me and live, or disobey and die."

Re: BBC Basic

10 DIM C% 50

20 FOR A=0 TO 2 STEP 2

30 P%=C%

40 [OPT A

50 LDX #0

60 .lp

70 LDA msg,X

80 BEQ fin

90 JSR &FFEE

100 INX

110 BNE lp

120 .fin

130 RTS

140 .msg

150 EQUS "Hello, world!"

160 EQUB 13

170 EQUB 10

180 BRK

190 ]

200 NEXT

210 CALL C%

Eliza?

The old-school not-an-AI. e.g. https://8bs.nerdoftheherd.com/8BS48/content/2-eliza/

I moved to NYC 22 years ago, and wandering around I found some Cadbury's Fruit and Nut. Since I was a little home sick I bought it. And after tasting a few chunks was almost sick. Checking the label I saw "Made under license by Hershey".

That put me off Hershey chocolate!

FreePascal FTW! https://www.freepascal.org/

Re: Take responsibility

I also have the 6 account "family" plan; with work discount that's $75/yr for 6TB of cloud storage.

I use it as an offsite copy of my backups, using rclone to do the copying (which encrypts while uploading). So I have primary backups onto my raid6, which is my normal "oops, I deleted a file I need it back" store. I rsync that to external USB disks, just incase the raid dies totally. It'd take a while, but I'd be able to restore almost everything. And then I rclone the important bits that to the cloud, just incase there's a fire or something; in this case I wouldn't be able to recover my ripped DVDs/BDs but I would be able to get everything else.

Is that overkill for a home network? Probably! But then I also have 2 DNS servers, 2 DHCP servers, run my own web/smtp/dns/nntp/vpn/... Overkill is kinda what I do :-)

Re: Huh?

There's a reason why we now have WSL2; this uses hypervisor technology to run Linux in a micro-VM. This increases compatibility (eg "docker" won't run on WSL1, it runs fine on WSL2). But at a cost. For example, with WSL1 your processes show up in the windows task manager but with WSL2 this doesn't happen; Windows is mostly blind to what happens inside the VM.

Microsoft can easily deprecate WSL1 if they need to, but retain the ability to run Linux apps via WSL2.

Re: Ignoring the big issue

> Nobody has the right to redistribute source under the GPL

GPL says "1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium"

So once I have the source code I have the right to distribute it anywhere (as long as I "conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program."

There's no _mandate_ that I distribute the source (unless I distribute a binary based on that source) but I do have the right to do it. And whoever I send the source to _also_ has the right to distribute it, and so on.

Re: I think. although maybe harsh

Hmm, I'm paying US$75/yr for a family O365 account; that's 6 users, each with 1Tb of OneDrive storage. 6Tb for $75? That's not a bad price, on its own, for off-site storage!

And with `rclone` (www.rclone.org) to send encrypted backups, and `https://github.com/abraunegg/onedrive` for "live-ish" syncing it means my Linux machines can happily make use of that space.

Re: All my bulbs are old now :-(

The hue hub does not need to receive incoming connections from the internet; it reaches out to a google cloud hosted service via https. It does this to receive firmware updates, and to allow for remote control when out of house, and for integration with voice assistants, etc.

Re: FYI

PogoPlug from 2009 did this (although it wasn't wireless). See, for example, https://zatznotfunny.com/2009-10/pogoplug-cloud-realignment/

Re: Why not kit out airports with anti-drone drones?

Flesh'n'blood hawks do the job just fine; https://www.youtube.com/watch?v=b5DEg2qZzkU

Re: I'd like to know

If the cert was being used for passive TLS decryption (a common technique for Data Loss Prevention) then an expired cert may not trigger alarms (the device manufacturer may consider that a normal case; certs do expire, especially if the cert store can handle multiple ones) but the TLS decryption would fail (also a normal scenario).

Since, in this scenario, it's passive no traffic gets blocked and data is no longer inspected.

Cert management needs to be proactive, not reactive.

Re: It's Christmas!

Interesting demographic niche there: old enough to like "Merry Christmas Everybody", young enough to think Alexa is a good idea.

Or maybe old enough to be able to decide for themselves the pros and cons of Alexa and feel that the "fun" factor outweighs the minimal risk.

https://www.sweharris.org/post/2017-01-02-always-listening/

BTW, I'm 50 this year. Hardly a youngster.

Re: Be much more interested in...

"NT4[...]stable and snappy"... yes, it dropped into that stable blue screen very very quickly!

Re: @Tomato42

In the US, ISPs are mostly a local monopoly. You get your local cableco... or maybe Verizon if you're lucky. No real choice.

And when we've seen Verizon, Comcast, AT&T all MITM traffic...

And then you have people using Starbucks WiFi (are you sure you're on the Starbucks hotspot and not someone pretending to be it?) and other free hotspots...

Basically, the underlying transport must be considered insecure.

I'm only 50, and I've seen failed switches. Admittedly that's in America, where I find the whole electrical setup to be scarily bad, compared to what I grew up with in England :-)

Re: Isn't cloud supposed to be fault tolerant?

No, clouds are not meant to be fault tolerant. "The cloud" may always be there and running, but individual instances inside the cloud may die at any time.

Clouds allow you to build applications that are fault tolerant. Indeed, applications should be designed to assume failure. There are many design patterns that can help with this.

This is why "lift and shift" doesn't buy you anything except "outsourced data center". If you build traditional applications and deploy them to the cloud then you need traditional HA solutions as well; duplicated service in a different datacenter, data copying, "DR" processes...

The responsibility for availability in the cloud rests solely on the application owner.

Re: MasterCard 'clarification' of MCC/SIC code?

This is most likely what happened.

Chase has not changed policies. The surcharge for cash advances has been around for many many years.

Merchant classifications, however, change all the time. Mostly you don't see them because you (as the card user) don't really care. It can affect what merchants may be in-scope for "5% bonus points" promotions, and end of year breakdowns, but normally it's invisible to you. Given the millions of merchants, it would be pointless telling you of changes.

So if this particular merchant had their classification changed so that it now counts as a cash advance then Chase would be perfectly entitled to put the surcharge on.

I fully expect this case to be dismissed.